On Thu, 2013-02-14 at 08:30 -0700, Rich Megginson wrote: > On 02/14/2013 06:54 AM, Simo Sorce wrote: > > On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote: > >> Hi, > >> > >> Another interesting recommendation from security is that all granted > >> access (that is exceptional, rather than permanent) should be limited in > >> time from the onset. > >> > >> If this is not possible all granted access needs to be documented and > >> revised regularly. However a system that would automatically revoke access > >> after a certain period is preferred from a security/administrative > >> perspective. (Period to be defined when granting access) > >> > >> This would mean that e.g. sudo-rules, group memberships, etc. could have > >> due dates and that IPA ensures that these rights are revoked in due time. > >> > >> So I was wondering whether this is something that was already discussed as > >> a feature for IPA ? > > sudo rules have sudoNotBefore sudoNotAfter attributes, so you can limit > > their validity. > > > > User accounts have an expiration time as well. > > > > There is no expiration time for groups or group membership, we have not > > had any previous request or need for this and I am not sure it really is > > possible to do this for group memberships. > > Someone was asking for this in one of the OpenLDAP forums. They want to > be able to expire group membership after a certain time. They were going > to create a new syntax which would be something like > > generalizedTime DELIM distinguishedName > > e.g. > dn: cn=temporaryAdminGroup,.... > timedmember: 20130215120000Z$uid=richm,...... > > After 20130215120000Z is hit, the value would be removed from the group.
To me it looks like a bad hack and breaks all exiting clients. I do not think it is a viable interface except for purpose built software. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users