Dne 14.12.2011 16:21, Rob Crittenden napsal(a):
Jan Cholasta wrote:
Dne 14.12.2011 15:23, Rob Crittenden napsal(a):
Jan Cholasta wrote:
Dne 14.12.2011 05:20, Rob Crittenden napsal(a):
The sudo schema now defines sudoOrder, sudoNotBefore and sudoNotAfter
but these weren't available in the sudorule plugin.
I've added support for these. sudoOrder enforces uniqueness because
duplicates are undefined.
I also added support for a GeneralizedTime parameter type. This is
similar to the existing AccessTime parameter but it only handles a
single time value.
You should parse the date/time part of the value with
time.strptime(timestr, '%Y%m%d%H%M%S') instead of doing it manually,
that way you'll get most of the validation for free.
Yes but it gives a crappy error message, just saying that some data is
left over not what is wrong.
IMHO having a separate error message for every field in the time string
(like you do in the patch) is an overkill, simple "invalid time" and/or
"unknown time format" should suffice (we don't have errors like "invalid
3rd octet" for IP adresses either).
Well, the work is done, hard to go back on a better error message.
Also, it would be nice to be able to enter the value in more
user-friendly format (e.g. "2011-12-14 13:01:25 +0100") and normalize
that to LDAP generalized time.
When dealing with time there are so many ways to input and display the
same values this becomes difficult.
I'd expect that the times for these two attributes will be relatively
simple and I somehow doubt users are going to want seconds, leap seconds
or fractions, but we'll need to consider how to do it for future
consistency (otherwise we could have a case where time is entered in one
format for some attributes and another for others).
If we input in a nice way we need to output in the same way.
We could make the preferred input/output time format user-configurable,
defaulting to current locale time format. This format would be used for
output. For input, we could go over a list of formats (first the
user-configured format, then current locale format, then a handful of
"standard" formats like YYYY-MM-DD HH:MM:SS) and use the first format
that can be successfully used to parse the time string.
See how far you get into the rabbit hole with even this simple format?
I don't mind, as long as it is the right thing to do (IMHO) :)
Anyway, I think this could be done on the client side, so we might use
your patch without changes. However, I would prefer if the parameter
class was more generic, so we could use it (hypothetically) to store
time in some other way than LDAP generalized time attribute (at least
name it DateTime please).
The LDAP GeneralizedTime needs to be either in GMT or include a
differential. This gets us into the territory where the client could be
in a different timezone than the server which leads us to why we dropped
AccessTime in the first place.
Speaking of time zones, the differential alone is not a sufficient time
zone description, as it doesn't account for DST. Is there a way to store
time in LDAP with full time zone name (just in case it's needed sometime
in future)?
So I'd like the user to supply the
timezone themselves so I don't have to guess (wrongly) and let them
worry about differing timezones.
We don't have to guess, IIRC there is a way to get the local timezone
differential in both Python and JavaScript, so the client could supply
it automatically if necessary.
rob
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
