Hello list,

We had a discussion today over integrating the Time Rules into the CLI and WebUI and a problem came up with with the current solution. It seems that while having templating handled by CoSTemplates might be nice in terms of easy dereferencing on SSSD side (it's handled by the DS itself), it's not really much possible to pick one string from the multi-valued accesstime attribute of HBAC Rule object and modify it.

We were thinking of a solution discussed way earlier - having our own time rule objects that could be referenced from each HBAC rule. That way, any time rule could be modified easily. As the HBAC rules are cached on the SSSD side periodically using the deref plugin, there should be no problem of inconsistency with the server database.

The original reasoning pro and against the proposed solution could be found on the pad http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It would be really nice to hear your opinions and ideas that could help us overcome this problem.

Thank you,

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to