URL: https://github.com/SSSD/sssd/pull/269 Title: #269: Add support for ActiveDirectory's logonHours restrictions
jhrozek commented: """ First, I'm sorry this PR stalled for several months. I finally had some time to re-check it and the primary thing I would suggest here is to not add the code into the generic LDAP expiration code. I think it belongs more to the `ad_access.c` module, because in general I would prefer to not add more AD-specific access controls into the generic LDAP module and also because IPA has been planning for a long time to add a time-based host access control policy and I think in IPA environments with AD trusted users, the AD logon hours policy should not be evaluated. So here's what I would propose to do: - move the evaluation function to the `ad_acess.c` module - unset the LDAP attribute mappings for IPA and LDAP case - add a configure option which would be disabled for now, but enabled in a future release that would enable this functionality for the AD provider. (note: Do we need a runtime switch like we have for GPOs here as well?) """ See the full comment at https://github.com/SSSD/sssd/pull/269#issuecomment-327159735
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org