[Freeipa-devel] Time-based account policies

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 10 16:56:54 UTC 2015 

On Tue, 10 Mar 2015, Martin Kosek wrote:
>On 03/10/2015 05:18 PM, Alexander Bokovoy wrote:
>> On Tue, 10 Mar 2015, John Dennis wrote:
>>> On 03/10/2015 11:06 AM, Jakub Hrozek wrote:
>>>>> We may need to use libraries for processing iCal rules, like libical
>>>>> (http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
>>>>
>>>> Is that what Alexander said, though? In his reply, I see:
>>>>     "Parsing event information would produce a rule definition we would
>>>>     store and SSSD would apply as HBAC rule".
>>>>
>>>> I don't think iCal dependency is something we want in SSSD, the
>>>> rules should be converted from iCal to SSSD format in a layer atop
>>>> libipa_hbac..
>>>
>>> But doesn't the iCal rule have to be evaluated in SSSD? If so that
>>> requires linking against libical, right?
>> That's why I'm saying we import iCal in IPA, not that we keep using iCal
>> as internal representation of time/date information for HBAC rules.
>>
>> I don't really want to impose iCal horror on HBAC rule parsing engine.
>> I believe we can do simpler and better, given HBAC is all about ALLOW
>> rules on the base of default DENY action.
>
>Ok, but how do you want to define rule as
>
>"Allow Joe to log in every Monday, except holidays (when the office is closed)"?
>
>We can't just have IPA processed the Ical and generate Allow ranges as there is
>indefinite number of the allow ranges. So if you want to described more complex
>rule (reocurring rule with some exceptions maybe), you end up with iCal anyway.
>Or not?
See my answer to John. We don't need to end up with iCal at all since
iCal doesn't have procedural definitions of holidays. It has
EXDATE/RRULE allowing to express exceptions and repeating rules (EXRULE
for exception rules was removed in RFC5545 and is not used anymore) but
nothing more concrete.

RFC5545 does define multiple things which are part of iCalendar format
and which we don't really need to deal with in SSSD so we don't need
full iCal at all. We need to be able to represent recurring events and
some of exceptions to them within the rules but that is a subset of what
is needed and can be implemented without involving a fully-compliant
iCal library.
-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list