On Mon, 2015-03-09 at 08:00 +0100, Stanislav Láznička wrote:
> Hi!
> 
> My name is Stanislav Laznicka and I am a student at Brno University 
> of Technology. As a part of my Master's thesis, I am supposed to 
> design and
> implement time-based account policies extensions for FreeIPA and 
> SSSD.
> 
> While going through the code, I noticed time-based access control 
> was implemented in the past, but it was pulled. I would very much be 
> interested to know why that was and what were the problems with that 
> implementation (so that I don't repeat those again).
> 
> The solution to the time-based account policies as I see it can be 
> divided into two possible directions - having the time of the 
> policies stored as a UTC time (which is what both Active Directory 
> and 389 Directory Server do), or it can be just a time record that 
> would be compared to the local time of each client.
> 
> Each of the approaches above has its pros and cons. Basically, local 
> time approach is much more flexible when it comes to multiple time 
> zones, however it does not allow the absolute control of access as 
> the UTC time based approach would (or at least, it does not allow it 
> without
> some further additions). I would therefore also be interested to 
> hear from you about which of these approaches corresponds more to 
> the common use-case of the FreeIPA system.

I would be deeply worried about the unexpected security issues that 
could arise if local time was used by default.

Nathaniel

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to