On 05/17/2016 12:40 PM, Petr Spacek wrote:
On 13.5.2016 13:50, Stanislav Laznicka wrote:
Hello list,

We had a discussion today over integrating the Time Rules into the CLI and
WebUI and a problem came up with with the current solution. It seems that
while having templating handled by CoSTemplates might be nice in terms of easy
dereferencing on SSSD side (it's handled by the DS itself), it's not really
much possible to pick one string from the multi-valued accesstime attribute of
HBAC Rule object and modify it.
Could you be more specific?

AFAIK LDAP protocol allows this. Where is the problem?

Petr^2 Spacek
I should have added we're talking CLI and WebUI here.

Imagine you have 5 values of the accesstime attribute, each one is about 10 lines of iCal string, and want to change one:

ipa hbacrule-mod-accesstime rule_name --time=???

We were thinking of a solution discussed way earlier - having our own time
rule objects that could be referenced from each HBAC rule. That way, any time
rule could be modified easily. As the HBAC rules are cached on the SSSD side
periodically using the deref plugin, there should be no problem of
inconsistency with the server database.

The original reasoning pro and against the proposed solution could be found on
the pad http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It would
be really nice to hear your opinions and ideas that could help us overcome
this problem.

Thank you,
Standa

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to