diff options
author | Pavel Reichl <preichl@redhat.com> | 2014-08-01 17:44:24 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-08-27 14:25:08 +0200 |
commit | 2a91d3dd0ce4387332db27bd1a0c0005c74f870e (patch) | |
tree | 5f76c5599628d82169d0bcffc94de259f210c279 /src/krb5_plugin | |
parent | 5668d294a39326f7024cbf24333e33ee970caf2d (diff) | |
download | sssd-2a91d3dd0ce4387332db27bd1a0c0005c74f870e.tar.gz sssd-2a91d3dd0ce4387332db27bd1a0c0005c74f870e.tar.xz sssd-2a91d3dd0ce4387332db27bd1a0c0005c74f870e.zip |
SDAP: account lockout to restrict access via ssh key
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.
Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.
------------------------------------------------------------------------
Quotation from man slapo-ppolicy:
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------
Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}
Resolves:
https://fedorahosted.org/sssd/ticket/2364
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/krb5_plugin')
0 files changed, 0 insertions, 0 deletions