On Mon, 2016-08-29 at 16:35 +0200, Petr Spacek wrote: > On 29.8.2016 16:34, Simo Sorce wrote: > > On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote: > >> On 26.8.2016 17:40, Simo Sorce wrote: > >>> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: > >>>> Ie we could set both "allow" and "allow_with_time" on an object for > >>>> cases where the admin wants to enforce the time part only o newer > >>>> client > >>>> but otherwise apply the rule to any client. > >>> > >>> I notice that SSSD does not like it if there are multiple values on this > >>> attribute, but we could change this easily in older clients when we > >>> update them. worst case the rule will not apply and admins have to > >>> create 2 rules, one with allow and one with allow_with_time. > >> > >> I like the idea in general but it needs proper design and detailed > >> specification first. > >> > >> Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 > >> object > >> class with clear definition of "capabilities" (without any obsolete cruft). > >> > >> That should be future proof and without any negative impact to existing > >> clients. > > > > ipaHBACRule2 is needed anyway, it is just how it is implemented that > > differs, I really think we should go the accessRuleType route, I find it > > superior to messing with objects by ripping off structural objectclasses > > and replacing them. > > So we are in agreement ;-)
If you liked my proposal then I guess we are, it wasn't clear to me :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
