My name is Stanislav Laznicka and I am a student at Brno University of Technology. As a part of my Master's thesis, I am supposed to design and implement time-based account policies extensions for FreeIPA and SSSD.

While going through the code, I noticed time-based access control was implemented in the past, but it was pulled. I would very much be interested to know why that was and what were the problems with that implementation (so that I don't repeat those again).

The solution to the time-based account policies as I see it can be divided into two possible directions - having the time of the policies stored as a UTC time (which is what both Active Directory and 389 Directory Server do), or it can be just a time record that would be compared to the local time of each client.

Each of the approaches above has its pros and cons. Basically, local time approach is much more flexible when it comes to multiple time zones, however it does not allow the absolute control of access as the UTC time based approach would (or at least, it does not allow it without some further additions). I would therefore also be interested to hear from you about which of these approaches corresponds more to the common use-case of the FreeIPA system.

Standa L.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to