[Freeipa-devel] [DESIGN] Time-Based HBAC Policies
Petr Spacek
pspacek at redhat.com
Tue May 17 10:40:46 UTC 2016
On 13.5.2016 13:50, Stanislav Laznicka wrote:
> Hello list,
>
> We had a discussion today over integrating the Time Rules into the CLI and
> WebUI and a problem came up with with the current solution. It seems that
> while having templating handled by CoSTemplates might be nice in terms of easy
> dereferencing on SSSD side (it's handled by the DS itself), it's not really
> much possible to pick one string from the multi-valued accesstime attribute of
> HBAC Rule object and modify it.
Could you be more specific?
AFAIK LDAP protocol allows this. Where is the problem?
Petr^2 Spacek
> We were thinking of a solution discussed way earlier - having our own time
> rule objects that could be referenced from each HBAC rule. That way, any time
> rule could be modified easily. As the HBAC rules are cached on the SSSD side
> periodically using the deref plugin, there should be no problem of
> inconsistency with the server database.
>
> The original reasoning pro and against the proposed solution could be found on
> the pad http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It would
> be really nice to hear your opinions and ideas that could help us overcome
> this problem.
>
> Thank you,
> Standa
More information about the Freeipa-devel
mailing list