[tac_plus] Re: Redesign? (Was: Different privs for different devices?)
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Tue Jul 6 04:56:27 UTC 2010
> > solution to store user attributes.
> > In this case arbitrary complex conditionals might be composed.
> > E.g. "user 'bill' will get level 15 privileges in worktime
> > logging in on the console port of certain 3 NAS-es but
> > level 1 in other cases".
>
> I'm probably missing something obvious, but is there a reason you couldn't
> accomplish the same thing by allowing a user to be a member of two independent
> groups? Obviously tac_plus would have to be modified to allow that, but that
> sounds to me like it would be a lot easier than rewriting the whole backend to
> use an RDB.
I think there is no way to painlessly(*) add further tests and their
arbitrary combination to the current syntax.
I mean: host originating telnet session, NAS tty, actual weekday and
daytime, number of already live sessions of the user etc.
Authorization clauses are also uneasy.
*Including backward compatibility.
Gabor
More information about the tac_plus
mailing list