[Freeipa-devel] [Update]Time-Based Account Policies

Thu Nov 5 17:17:53 UTC 2015

On 4.11.2015 15:20, Martin Basti wrote:
> 
> 
> On 04.11.2015 13:46, Stanislav Laznicka wrote:
>> Hi,
>>
>> The fixed patches to Martin^2's and Jakub's reviews are almost ready, there
>> are just a few things left. Martin B. mentioned in his review that '~' might
>> not be the best delimiter for range values in the HBAC time policies
>> language as it is not commonly used for that purpose. I started using it
>> when the negative values were introduced (instead of '-').
>>
>> The question here is, then, which delimiter would you rather use for ranges?
>> Some choices are ':', '..', and, obviously, '~' but you are free to come up
>> with your own. The delimiters '-' and ',' are not suitable as their use is
>> different here. However small this might seem to be, lets be rigorous here
>> and design it properly.
>>
>> Also, with some time, I got uncertain about one thing with the 'repeat'
>> keyword. What behaviour would you expect when 'repeat' is on yearly
>> repetition and 'dayofweek' is the only other thing set? RFC5545 (iCal) says:
>> "
>> Information, not contained in the rule, necessary to determine the
>> various recurrence instance start time and dates are derived from
>> the Start Time ("DTSTART") component attribute.  For example,
>> "FREQ=YEARLY;BYMONTH=1" doesn't specify a specific day within the
>> month or a time.  This information would be the same as what is
>> specified for "DTSTART".
>> "
>> and also in an example
>>
>> "... if the BYMINUTE, BYHOUR, BYDAY,
>>  BYMONTHDAY, or BYMONTH rule part were missing, the appropriate
>>  minute, hour, day, or month would have been retrieved from the
>>  "DTSTART" property.",
>>
>> but an example with BYDAY alone set with a day of week without numerical
>> specifier is missing so it is not clear if this would apply to all specified
>> weekdays of a certain month or the whole year. Currently, I am using only
>> the months' weekdays.
>>
>> -- 
>> Standa Láznička
> 
> Hello,
> 
> we (Standa and I) had offline discussion and I proposed following idea:
> 
> 1) create new entry in LDAP for "time rule" instead of adding the time rule
> string directly into HBACRule.
> This will allow to reuse time rules among various HBAC Rules (and maybe in
> future with sudo rules, etc.)
> HBACrule gets only reference to time rule entry stored in LDAP db.

Good idea! I can see time rule entry 'working hours in Brno office' which is
linked to relevant HBAC rules.

> 2) Do not create a new time format, just reuse iCal (parts of iCal we need),
> to store time rule in LDAP in "time rule" entry
> (Or is possible to not store the values just as one string, we can use
> different attributes to store separate values, iCal can be used as export and
> import format)

I very much agree with re-using iCal! We have sufficient number of custom
parsers already ;-)

Speaking about custom LDAP format, I do not think that it is a good idea. It
would prevent us from using iCal parsers and generators and we would risk that
our custom LDAP format will not be flexible enough.

For these reasons I would go with 1 iCal string which can be fed into any
standard-compliant iCal library.

> 3) We may provide nice CLI and webUI to construct/show "time rule", this may
> be more user friendly than just passing the string containing time data to
> HBAC rule.

This is going to be the same as in any calendaring system. Just look to
Thunderbird "New Event" dialog.

-- 
Petr^2 Spacek