Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
|
|
|
https://fedorahosted.org/sssd/ticket/670
|
|
Over the time a couple of new config options didn't made it into the
config API files. This patch updates the files and removes some
duplications.
|
|
Otherwise fallback to the default modifyTimestamp indicator
|
|
|
|
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
|
|
|
|
|
For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.
Fixes: #543
|
|
|
|
|
|
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
|
* add forgotten ldap_dns_service option
* sync IPA and LDAP options (ldap_pwd_policy and ldap_tls_cacertdir)
* ldap_uri is no longer mandatory for LDAP provider - the default is to
use service discovery with no address set now. Ditto for krb5_kdcip
and ipa_server
|
|
|
|
Also update BUILD.txt
|