diff options
author | Sumit Bose <sbose@redhat.com> | 2010-11-22 14:24:23 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-12-06 09:30:13 -0500 |
commit | 32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a (patch) | |
tree | 726ed591038967e12d559ccebd6eece6cd2520cb /src/man | |
parent | 39875788b552ed157e68156e64e95dda5dc6aa43 (diff) | |
download | sssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.tar.gz sssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.tar.bz2 sssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.zip |
Add new account expired rule to LDAP access provider
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/sssd-ldap.5.xml | 55 |
1 files changed, 54 insertions, 1 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index cf6747e7..8936882c 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -370,7 +370,8 @@ <term>ldap_user_shadow_expire (string)</term> <listitem> <para> - When using ldap_pwd_policy=shadow, this parameter + When using ldap_pwd_policy=shadow or + ldap_account_expire_policy=shadow, this parameter contains the name of an LDAP attribute corresponding to its <citerefentry> @@ -1026,6 +1027,58 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com </varlistentry> <varlistentry> + <term>ldap_account_expire_policy (string)</term> + <listitem> + <para> + With this option a client side evaluation of + access control attributes can be enabled. + </para> + <para> + Please note that it is always recommended to + use server side access control, i.e. the LDAP + server should deny the bind request with a + suitable error code even if the password is + correct. + </para> + <para> + The following values are allowed: + </para> + <para> + <emphasis>shadow</emphasis>: use the value of + ldap_user_shadow_expire to determine if the account + is expired. + </para> + <para> + Default: Empty + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_access_order (string)</term> + <listitem> + <para> + Comma separated list of access control options. + Allowed values are: + </para> + <para> + <emphasis>filter</emphasis>: use ldap_access_filter + </para> + <para> + <emphasis>expire</emphasis>: use + ldap_account_expire_policy + </para> + <para> + Default: filter + </para> + <para> + Please note that it is a configuration error if a + value is used more than once. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_deref (string)</term> <listitem> <para> |