[Freeipa-devel] [Update]Time-Based Account Policies
Alexander Bokovoy
abokovoy at redhat.com
Mon Nov 16 11:37:02 UTC 2015
On Mon, 16 Nov 2015, Ludwig Krispenz wrote:
>
>On 11/16/2015 10:32 AM, Martin Kosek wrote:
>>On 11/13/2015 04:40 PM, Simo Sorce wrote:
>>>On 13/11/15 10:17, Martin Basti wrote:
>>...
>>>>>And in general I am opposed to have a separate object on performance
>>>>>grounds (for clients) and also on the fact that is becomes tricky to
>>>>>keep objects in sync.
>>>>What exactly is the performance issue there? To download extra entry
>>>>from LDAP?
>>>
>>>Yes because now you have to download rules, parse them, find out
>>>what needs tro
>>>be downloaded and pull it, or wore just download all time rules
>>
>>Just for the record, you should be able to pull that in one LDAP
>>search, when you cast dereference on the HBAC time linking attribute
>>and pull the settings from time object also.
>but then you will have the corresponding internal searches, and the
>use of the deref control is not always efficient.
>
>If you want to define general rules like "brno" or "rest of the world"
>to reuse rules, why not use CoS and define virtual attributes in the
>entry, which would be populated by CoS. The client would have to read
>only one entry, the CoS allows flexibility to assign rules to entries
I agree. To me CoS seems to be a better solution even though it means we
would need to develop dynamically managed CoS rules beyond what we have
right now in the password policies.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list