URL: https://github.com/SSSD/sssd/pull/269 Title: #269: Add support for ActiveDirectory's logonHours restrictions
sumit-bose commented: """ I'm a bit torn apart. On one had I agree that new AD specific functionality should be added to the AD provider. On the other hand the check is similar to ldap_user_ad_account_expires and ldap_user_ad_user_account_control and there is already ldap_user_nds_login_allowed_time_map which is the same functionality with an NDS specific attribute. So putting the code in sdap_access.c is ok imo. Maybe it can be seen this way. Although the attribute is used by AD it can be easily added to any LDAP server to control time based access for users based on the logic used by AD. This is in contrast to the handling of GPOs which cannot easily added to any other environment than AD. I think the attribute mapping can be set for LDAP (see paragraph about) but should be unset for IPA. About enabling and backwards compatibility. What about adding a new account expire policy like e.g. 'ad_x' which includes everything the 'ad' policy checks plus logonHours? I would document that this policy might change in future becasue someone might want to implement support for the userWorkstation attribute (https://msdn.microsoft.com/en-us/library/ms680868(v=vs.85).aspx) as well. """ See the full comment at https://github.com/SSSD/sssd/pull/269#issuecomment-328160365
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
