On 26.8.2016 17:40, Simo Sorce wrote: > On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: >> Ie we could set both "allow" and "allow_with_time" on an object for >> cases where the admin wants to enforce the time part only o newer >> client >> but otherwise apply the rule to any client. > > I notice that SSSD does not like it if there are multiple values on this > attribute, but we could change this easily in older clients when we > update them. worst case the rule will not apply and admins have to > create 2 rules, one with allow and one with allow_with_time.
I like the idea in general but it needs proper design and detailed specification first. Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 object class with clear definition of "capabilities" (without any obsolete cruft). That should be future proof and without any negative impact to existing clients. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code