On 11/13/2015 04:40 PM, Simo Sorce wrote:
On 13/11/15 10:17, Martin Basti wrote:
...
And in general I am opposed to have a separate object on performance
grounds (for clients) and also on the fact that is becomes tricky to
keep objects in sync.
What exactly is the performance issue there? To download extra entry
from LDAP?

Yes because now you have to download rules, parse them, find out what needs tro
be downloaded and pull it, or wore just download all time rules

Just for the record, you should be able to pull that in one LDAP search, when you cast dereference on the HBAC time linking attribute and pull the settings from time object also.

This is what SSSD does with user search AFAIK, though I am not sure you can do it in non-base search returning multiple results.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to