SDAP: enable change phase of pw expire policy check

Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>
author: Pavel Reichl <preichl@redhat.com> 2015-02-18 01:03:40 -0500
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-03-03 18:47:05 +0100
commit: c9b0071bfcb8eb8c71e40248de46d23aceecc0f3 (patch)
tree: 7c9d55dba69c4b9e75bc8041d2a6e9bd75f44eaa /src/man
parent: cdaa29d2c5724a4c72bfa0f42284ccfac3d5a464 (diff)
download: sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.tar.gz
sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.tar.xz
sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 9f2e9ac34..dca9938b8 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1959,6 +1959,33 @@ ldap_access_filter = (employeeType=admin)
                             ldap_account_expire_policy
                         </para>
                         <para>
+                            <emphasis>pwd_expire_policy_reject,
+                                      pwd_expire_policy_warn,
+                                      pwd_expire_policy_renew:
+                            </emphasis>
+                            These options are useful if users are interested
+                            in being warned that password is about to expire
+                            and authentication is based on using a different
+                            method than passwords - for example SSH keys.
+                       </para>
+                       <para>
+                            The difference between these options is the action
+                            taken if user password is expired:
+                            pwd_expire_policy_reject - user is denied to log in,
+                            pwd_expire_policy_warn - user is still able to log in,
+                            pwd_expire_policy_renew - user is prompted to change
+                            his password immediately.
+                        </para>
+                        <para>
+                            Note If user password is expired no explicit message
+                            is prompted by SSSD.
+                        </para>
+                        <para>
+                            Please note that 'access_provider = ldap' must
+                            be set for this feature to work. Also 'ldap_pwd_policy'
+                            must be set to an appropriate password policy.
+                        </para>
+                        <para>
                             <emphasis>authorized_service</emphasis>: use
                             the authorizedService attribute to determine
                             access
author	Pavel Reichl <preichl@redhat.com>	2015-02-18 01:03:40 -0500
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-03-03 18:47:05 +0100
commit	c9b0071bfcb8eb8c71e40248de46d23aceecc0f3 (patch)
tree	7c9d55dba69c4b9e75bc8041d2a6e9bd75f44eaa /src/man
parent	cdaa29d2c5724a4c72bfa0f42284ccfac3d5a464 (diff)
download	sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.tar.gz sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.tar.xz sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.zip