On 24.3.2015 08:20, Jakub Hrozek wrote:
> On Tue, Mar 24, 2015 at 08:07:53AM +0100, Martin Kosek wrote:
>> On 03/24/2015 07:16 AM, Jan Cholasta wrote:
>>> Dne 23.3.2015 v 20:17 Standa Láznička napsal(a):
>> ...
>>>>> Given the above, HBAC rules could contain (time, anchor), where anchor
>>>>> is "UTC", "user local time" or "host local time".
>>>> Truth is, it was not really clear to me from the last week's discussion
>>>> whose "Local Time" to use - do we use host's or do we use user's?  It
>>>> would make sense to me to use the user's local time. But then you would
>>>> need to really store at least the timezone information with each user
>>>> object. And that information should probably change with user moving
>>>> between different timezones. That's quite a pickle I am in right here.
>>> IMO whether to use user or host local time depends on organization local
>>> policy, hence my suggestion to support both.
>> I am bit confused, I would like to make sure we are on the same page with
>> regards to Local Time. When the Local Time rule is created, anchor will be 
>> set
>> to "Local Time". Then SSSD would simply use host's local time, in whichever
>> time zone the HBAC host is.
> Yes, that was my understanding also.
>> So this is the default host enforcement. For the user, you want to let SSSD
>> check authenticated user's entry, to see if there is a timezone information?
>> This would of course depend on the information being available. For AD users,
>> you would need to set it in ID Views or similar.
> Yes, also in a previous e-mail, there was a suggestion to change
> timezones by admin when the user changes timezones -- I didn't like that
> part, it seems really error prone and tedious. *If* there was this
> choice, it should not be the default, rather the default should also be
> host local time IMO.

It would be nice to clearly state in docs what 'timezone' are you going to
use. Users can specify their own timezone via TZ environment variable and this
can be very different from timezone defined by /etc/localtime.

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to