diff options
author | Sumit Bose <sbose@redhat.com> | 2010-11-22 14:24:23 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-12-06 09:30:13 -0500 |
commit | 32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a (patch) | |
tree | 726ed591038967e12d559ccebd6eece6cd2520cb /src/providers/ldap/sdap_access.h | |
parent | 39875788b552ed157e68156e64e95dda5dc6aa43 (diff) | |
download | sssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.tar.gz sssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.tar.bz2 sssd-32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a.zip |
Add new account expired rule to LDAP access provider
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
Diffstat (limited to 'src/providers/ldap/sdap_access.h')
-rw-r--r-- | src/providers/ldap/sdap_access.h | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h index 5dbe8646..9b8e45bd 100644 --- a/src/providers/ldap/sdap_access.h +++ b/src/providers/ldap/sdap_access.h @@ -27,11 +27,24 @@ #include "providers/dp_backend.h" -#define SYSDB_LDAP_ACCESS "ldap_access_allow" +#define SYSDB_LDAP_ACCESS_FILTER "ldap_access_filter_allow" + +#define LDAP_ACCESS_FILTER_NAME "filter" +#define LDAP_ACCESS_EXPIRE_NAME "expire" + +#define LDAP_ACCOUNT_EXPIRE_SHADOW "shadow" + +enum ldap_access_rule { + LDAP_ACCESS_EMPTY = -1, + LDAP_ACCESS_FILTER = 0, + LDAP_ACCESS_EXPIRE, + LDAP_ACCESS_LAST +}; struct sdap_access_ctx { struct sdap_id_ctx *id_ctx; const char *filter; + int access_rule[LDAP_ACCESS_LAST + 1]; }; void ldap_pam_access_handler(struct be_req *breq); |