diff options
author | Pavel Reichl <preichl@redhat.com> | 2015-02-18 01:03:40 -0500 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-03 18:47:05 +0100 |
commit | c9b0071bfcb8eb8c71e40248de46d23aceecc0f3 (patch) | |
tree | 7c9d55dba69c4b9e75bc8041d2a6e9bd75f44eaa /src/man | |
parent | cdaa29d2c5724a4c72bfa0f42284ccfac3d5a464 (diff) | |
download | sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.tar.gz sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.tar.xz sssd-c9b0071bfcb8eb8c71e40248de46d23aceecc0f3.zip |
SDAP: enable change phase of pw expire policy check
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/sssd-ldap.5.xml | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 9f2e9ac34..dca9938b8 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1959,6 +1959,33 @@ ldap_access_filter = (employeeType=admin) ldap_account_expire_policy </para> <para> + <emphasis>pwd_expire_policy_reject, + pwd_expire_policy_warn, + pwd_expire_policy_renew: + </emphasis> + These options are useful if users are interested + in being warned that password is about to expire + and authentication is based on using a different + method than passwords - for example SSH keys. + </para> + <para> + The difference between these options is the action + taken if user password is expired: + pwd_expire_policy_reject - user is denied to log in, + pwd_expire_policy_warn - user is still able to log in, + pwd_expire_policy_renew - user is prompted to change + his password immediately. + </para> + <para> + Note If user password is expired no explicit message + is prompted by SSSD. + </para> + <para> + Please note that 'access_provider = ldap' must + be set for this feature to work. Also 'ldap_pwd_policy' + must be set to an appropriate password policy. + </para> + <para> <emphasis>authorized_service</emphasis>: use the authorizedService attribute to determine access |