[Freeipa-devel] [Update]Time-Based Account Policies
Ludwig Krispenz
lkrispen at redhat.com
Mon Nov 16 11:02:57 UTC 2015
On 11/16/2015 10:32 AM, Martin Kosek wrote:
> On 11/13/2015 04:40 PM, Simo Sorce wrote:
>> On 13/11/15 10:17, Martin Basti wrote:
> ...
>>>> And in general I am opposed to have a separate object on performance
>>>> grounds (for clients) and also on the fact that is becomes tricky to
>>>> keep objects in sync.
>>> What exactly is the performance issue there? To download extra entry
>>> from LDAP?
>>
>> Yes because now you have to download rules, parse them, find out what
>> needs tro
>> be downloaded and pull it, or wore just download all time rules
>
> Just for the record, you should be able to pull that in one LDAP
> search, when you cast dereference on the HBAC time linking attribute
> and pull the settings from time object also.
but then you will have the corresponding internal searches, and the use
of the deref control is not always efficient.
If you want to define general rules like "brno" or "rest of the world"
to reuse rules, why not use CoS and define virtual attributes in the
entry, which would be populated by CoS. The client would have to read
only one entry, the CoS allows flexibility to assign rules to entries
>
> This is what SSSD does with user search AFAIK, though I am not sure
> you can do it in non-base search returning multiple results.
>
More information about the Freeipa-devel
mailing list