On 29.8.2016 16:34, Simo Sorce wrote:
> On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote:
>> On 26.8.2016 17:40, Simo Sorce wrote:
>>> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote:
>>>> Ie we could set both "allow" and "allow_with_time" on an object for
>>>> cases where the admin wants to enforce the time part only o newer
>>>> client
>>>> but otherwise apply the rule to any client.
>>> I notice that SSSD does not like it if there are multiple values on this
>>> attribute, but we could change this easily in older clients when we
>>> update them. worst case the rule will not apply and admins have to
>>> create 2 rules, one with allow and one with allow_with_time.
>> I like the idea in general but it needs proper design and detailed
>> specification first.
>> Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 object
>> class with clear definition of "capabilities" (without any obsolete cruft).
>> That should be future proof and without any negative impact to existing 
>> clients.
> ipaHBACRule2 is needed anyway, it is just how it is implemented that
> differs, I really think we should go the accessRuleType route, I find it
> superior to messing with objects by ripping off structural objectclasses
> and replacing them.

So we are in agreement ;-)

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to