[Freeipa-devel] Time-based account policies

Martin Kosek mkosek at redhat.com
Tue Mar 10 14:00:42 UTC 2015 

On 03/09/2015 07:22 PM, Alexander Bokovoy wrote:
> On Mon, 09 Mar 2015, Jakub Hrozek wrote:
>> On Mon, Mar 09, 2015 at 04:08:46PM +0100, Martin Kosek wrote:
>>> On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
>>> > On Mon, 09 Mar 2015, Martin Kosek wrote:
>>> ...
>>> > One of bigger issues we had was lack of versatile ical format parser to
>>> > handle calendar-like specification of events -- we need to allow
>>> > importing these ones instead of inventing our own.
>>>
>>> Good point. I wonder how rigorous we want to be. iCal is a pretty powerful
>>> calendaring format. If we want to implement full support for it, it would be
>>> lot of code both on server side for setting it and on client side for
>>> evaluating it (CCing Jakub for reference).
>>>
>>> AD itself has much simpler UI for setting the access time, a table like that:
>>> http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg
>>>
>>>
>>> IIRC, they only store the bits of "can login/cannot login" for the time slots.
>>> That's another alternative.
>>
>> I don't think that's what Alexander meant, I don't think the client
>> library should come anywhere close to the iCal format. We might want to
>> provide a script to convert an external format, but that's about it.
>>
>> I thought we could simply reuse parts of the previous grammar, maybe
>> simplified. But I agree with Nathaniel (as I stated also in the private
>> thread) that we should use UTC where possible.
> Yes and no. Let me go in details a bit.
> 
> We need iCal support to allow importing events created by external
> tools. We don't need to use it as internal format.

Can you please share a bit what events you have in mind? We are talking about
HBAC access rules, so I am not sure what you want to import.

Is this for use cases like - I have a recurring Linux learning lab, I want to
all participants to be able to log in to this system during the lab run?

This may results in pretty complicated time related rules in HBAC, where you
may need to deal with reocurrence, exceptions, etc. So far more complex than
the AD use cases
(http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg).

Thanks,
Martin

More information about the Freeipa-devel mailing list