On Tue, 16 Aug 2016, Stanislav Laznicka wrote:
On 08/12/2016 06:48 PM, Petr Spacek wrote:
On 11.8.2016 12:34, Stanislav Laznicka wrote:
I updated the design of the Time-Based HBAC Policies according to the
discussion we led here earlier. Please check the design page
http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The biggest
changes are in the Implementation and Feature Management sections. I also
added a short How to Use section.
Thank you for the review! I will add some comments inline.
My idea was that we allow users prepare a few time rule objects before
filling them with the actual times.
On the high level it all makes sense.
ad LDAP schema
1) Why accessTime attribute is MAY in ipaTimeRule object class?
Does it make sense to have the object without accessTime? I do not think so.
Also, it could be good to add description attribute to the object class and
incorporate it into commands (including find).
Definitely a good idea, I will work that in.
I believe that the accessTime attribute was originally brought to IPA
when there was an implementation of time policies for HBAC objects and
it's been rotting there ever since those capabilities were removed. We
may eventually use a new attribute for storage of the time strings as
accessTime by definition is multi-valued which is not what's currently
desired (although we may end up with it some day in the future).
However, I don't think any other use of accessTime should be a problem
as it's been obsoleted for a long time.
2) Besides all this, I spent few minutes in dark history of IPA. The
accessTime attribute was introduced back in 2009 in commit
"55ba300c7cb59cf05b16cc01281f51d93eb25acf" aka "Incorporate new schema for
The commit does not contain any reasoning for the change but I can see that
the attribute is already used as MAY in old object classes ipaHBACRule and
Is any of these a problem?
If the attribute can be used, let's use it. We can limit multiple values
in the framework and actively complain about multi-valued accessTime.
I'm sorry to say I have no idea. I used it for what it originally was
- a means for storing time strings at HBAC rules.
Why is it even in ipaSELinuxUserMap object class?
accessTime was part of HBAC rule but when SELinuxUserMap support was
added, HBAC lost accessTime functionality --- that's why
ipaSELinuxUserMap object class carries accessTime attribute, to specify
the time when associated HBAC rule applies.
This is one more argument to re-use accessTime attribute.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code