On Mon, 2015-03-09 at 08:00 +0100, Stanislav Láznička wrote: > Hi! > > My name is Stanislav Laznicka and I am a student at Brno University > of Technology. As a part of my Master's thesis, I am supposed to > design and > implement time-based account policies extensions for FreeIPA and > SSSD. > > While going through the code, I noticed time-based access control > was implemented in the past, but it was pulled. I would very much be > interested to know why that was and what were the problems with that > implementation (so that I don't repeat those again). > > The solution to the time-based account policies as I see it can be > divided into two possible directions - having the time of the > policies stored as a UTC time (which is what both Active Directory > and 389 Directory Server do), or it can be just a time record that > would be compared to the local time of each client. > > Each of the approaches above has its pros and cons. Basically, local > time approach is much more flexible when it comes to multiple time > zones, however it does not allow the absolute control of access as > the UTC time based approach would (or at least, it does not allow it > without > some further additions). I would therefore also be interested to > hear from you about which of these approaches corresponds more to > the common use-case of the FreeIPA system.
I would be deeply worried about the unexpected security issues that could arise if local time was used by default. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
