From 22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 21 Dec 2010 13:30:33 +0100 Subject: Add LDAP expire policy based on AD attributes The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired. --- src/man/sssd-ldap.5.xml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'src/man/sssd-ldap.5.xml') diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 175ec356..65c679d6 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -435,6 +435,34 @@ + + ldap_user_ad_account_expires (string) + + + When using ldap_account_expire_policy=ad, this + parameter contains the name of an LDAP attribute + storing the expiration time of the account. + + + Default: accountExpires + + + + + + ldap_user_ad_user_account_control (string) + + + When using ldap_account_expire_policy=ad, this + parameter contains the name of an LDAP attribute + storing the user account control bit field. + + + Default: userAccountControl + + + + ldap_user_principal (string) @@ -1127,6 +1155,13 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com ldap_user_shadow_expire to determine if the account is expired. + + ad: use the value of the 32bit + field ldap_user_ad_user_account_control and allow + access if the second bit is not set. If the + attribute is missing access is granted. Also the + expiration time of the account is checked. + Default: Empty -- cgit