On 13.5.2016 13:50, Stanislav Laznicka wrote:
> Hello list,
> 
> We had a discussion today over integrating the Time Rules into the CLI and
> WebUI and a problem came up with with the current solution. It seems that
> while having templating handled by CoSTemplates might be nice in terms of easy
> dereferencing on SSSD side (it's handled by the DS itself), it's not really
> much possible to pick one string from the multi-valued accesstime attribute of
> HBAC Rule object and modify it.

Could you be more specific?

AFAIK LDAP protocol allows this. Where is the problem?

Petr^2 Spacek

> We were thinking of a solution discussed way earlier - having our own time
> rule objects that could be referenced from each HBAC rule. That way, any time
> rule could be modified easily. As the HBAC rules are cached on the SSSD side
> periodically using the deref plugin, there should be no problem of
> inconsistency with the server database.
> 
> The original reasoning pro and against the proposed solution could be found on
> the pad http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It would
> be really nice to hear your opinions and ideas that could help us overcome
> this problem.
> 
> Thank you,
> Standa

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to