[Freeipa-users] Granting rights temporarily

[Rich Megginson]

On 02/14/2013 06:54 AM, Simo Sorce wrote:
> On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote:
>> Hi,
>>
>> Another interesting recommendation from security is that all granted
>> access (that is exceptional, rather than permanent) should be limited in
>> time from the onset.
>>
>> If this is not possible all granted access needs to be documented and
>> revised regularly. However a system that would automatically revoke access
>> after a certain period is preferred from a security/administrative
>> perspective. (Period to be defined when granting access)
>>
>> This would mean that e.g. sudo-rules, group memberships, etc. could have
>> due dates and that IPA ensures that these rights are revoked in due time.
>>
>> So I was wondering whether this is something that was already discussed as
>> a feature for IPA ?
> sudo rules have sudoNotBefore sudoNotAfter attributes, so you can limit
> their validity.
>
> User accounts have an expiration time as well.
>
> There is no expiration time for groups or group membership, we have not
> had any previous request or need for this and I am not sure it really is
> possible to do this for group memberships.

Someone was asking for this in one of the OpenLDAP forums.  They want to 
be able to expire group membership after a certain time. They were going 
to create a new syntax which would be something like

generalizedTime DELIM distinguishedName

e.g.
dn: cn=temporaryAdminGroup,....
timedmember: 20130215120000Z$uid=richm,......

After 20130215120000Z is hit, the value would be removed from the group.

>
> I guess we could add an attribute to expire a group, however no client
> will respect that for now, so it would be a bit pointless if not
> misguiding.
>
> Simo.
>