My name is Stanislav Laznicka and I am a student at Brno University of
Technology. As a part of my Master's thesis, I am supposed to design and
implement time-based account policies extensions for FreeIPA and SSSD.
While going through the code, I noticed time-based access control was
implemented in the past, but it was pulled. I would very much be
interested to know why that was and what were the problems with that
implementation (so that I don't repeat those again).
The solution to the time-based account policies as I see it can be
divided into two possible directions - having the time of the policies
stored as a UTC time (which is what both Active Directory and 389
Directory Server do), or it can be just a time record that would be
compared to the local time of each client.
Each of the approaches above has its pros and cons. Basically, local
time approach is much more flexible when it comes to multiple time
zones, however it does not allow the absolute control of access as the
UTC time based approach would (or at least, it does not allow it without
some further additions). I would therefore also be interested to hear
from you about which of these approaches corresponds more to the common
use-case of the FreeIPA system.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code