Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
Instead of issuing N LDAP requests when processing a group with N users,
utilize the dereference functionality to pull down all the members in a
single LDAP request.
https://fedorahosted.org/sssd/ticket/799
|
|
|
|
https://fedorahosted.org/sssd/ticket/647
|
|
https://fedorahosted.org/sssd/ticket/746
|
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
|
|
|
https://fedorahosted.org/sssd/ticket/670
|
|
|
|
|
|
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
|
https://fedorahosted.org/sssd/ticket/691
|
|
Currently sssd does not support authentication via GSSAPI. I think it
is not necessary to support it, because if GSSAPI is possible Kerberos
should be use for authentication.
|
|
Also allow it to be disabled entirely
|
|
|
|
|
|
|
|
The <entity> can be one of user, group or netgroup. The references were removed
from example configuration and they were moved from section Configuration options
to section Advanced options.
Ticket: #607
|
|
|
|
|
|
|
|
Each back end can support id, auth or access provider, but each
back end supports different subset of these. Man pages should
describe which providers are supported by each back end.
Ticket: #615
|
|
When obfuscated password is used in config file, the LDAP backend
converts it back to clear text and uses it to authenticate to the
server.
|
|
Some config options updated, newly documented 12 new options.
|
|
https://fedorahosted.org/sssd/ticket/542
|
|
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
|
|
|
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
|
|
Also update BUILD.txt
|