On 26.8.2016 17:40, Simo Sorce wrote:
> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote:
>> Ie we could set both "allow" and "allow_with_time" on an object for
>> cases where the admin wants to enforce the time part only o newer
>> but otherwise apply the rule to any client.
> I notice that SSSD does not like it if there are multiple values on this
> attribute, but we could change this easily in older clients when we
> update them. worst case the rule will not apply and admins have to
> create 2 rules, one with allow and one with allow_with_time.
I like the idea in general but it needs proper design and detailed
Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 object
class with clear definition of "capabilities" (without any obsolete cruft).
That should be future proof and without any negative impact to existing clients.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code