Add new account expired rule to LDAP access provider

Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.

'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.

'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.

2 files changed, 4 insertions, 0 deletions

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index edfc823ea..e48e83ab9 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -160,6 +160,8 @@ option_strings = {
 
     # [provider/ldap/access]
     'ldap_access_filter' : _('LDAP filter to determine access privileges'),
+    'ldap_account_expire_policy' : _('Which attributes shall be used to evaluate if an account is expired'),
+    'ldap_access_order' : _('Which rules should be used to evaluate access control'),
 
     # [provider/simple/access]
     'simple_allow_users' : _('Comma separated list of allowed users'),
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 404f4d593..b7d2f9b2b 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -80,6 +80,8 @@ ldap_pwd_policy = str, None, false
 
 [provider/ldap/access]
 ldap_access_filter = str, None, false
+ldap_account_expire_policy = str, None, false
+ldap_access_order = str, None, false
 
 [provider/ldap/chpass]