summaryrefslogtreecommitdiff
path: root/src/man
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-11-22 14:24:23 +0100
committerStephen Gallagher <sgallagh@redhat.com>2010-12-06 09:30:13 -0500
commit32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a (patch)
tree726ed591038967e12d559ccebd6eece6cd2520cb /src/man
parent39875788b552ed157e68156e64e95dda5dc6aa43 (diff)
downloadsssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.tar.gz
sssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.tar.bz2
sssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.zip
Add new account expired rule to LDAP access provider
Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.
Diffstat (limited to 'src/man')
-rw-r--r--src/man/sssd-ldap.5.xml55
1 files changed, 54 insertions, 1 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index cf6747e7..8936882c 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -370,7 +370,8 @@
<term>ldap_user_shadow_expire (string)</term>
<listitem>
<para>
- When using ldap_pwd_policy=shadow, this parameter
+ When using ldap_pwd_policy=shadow or
+ ldap_account_expire_policy=shadow, this parameter
contains the name of an LDAP attribute corresponding
to its
<citerefentry>
@@ -1026,6 +1027,58 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
</varlistentry>
<varlistentry>
+ <term>ldap_account_expire_policy (string)</term>
+ <listitem>
+ <para>
+ With this option a client side evaluation of
+ access control attributes can be enabled.
+ </para>
+ <para>
+ Please note that it is always recommended to
+ use server side access control, i.e. the LDAP
+ server should deny the bind request with a
+ suitable error code even if the password is
+ correct.
+ </para>
+ <para>
+ The following values are allowed:
+ </para>
+ <para>
+ <emphasis>shadow</emphasis>: use the value of
+ ldap_user_shadow_expire to determine if the account
+ is expired.
+ </para>
+ <para>
+ Default: Empty
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_access_order (string)</term>
+ <listitem>
+ <para>
+ Comma separated list of access control options.
+ Allowed values are:
+ </para>
+ <para>
+ <emphasis>filter</emphasis>: use ldap_access_filter
+ </para>
+ <para>
+ <emphasis>expire</emphasis>: use
+ ldap_account_expire_policy
+ </para>
+ <para>
+ Default: filter
+ </para>
+ <para>
+ Please note that it is a configuration error if a
+ value is used more than once.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_deref (string)</term>
<listitem>
<para>