SDAP: enable change phase of pw expire policy check

Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit c9b0071bfcb8eb8c71e40248de46d23aceecc0f3) (cherry picked from commit d3f82e944dc5dab3812700a245deec4aa3245b21)
author: Pavel Reichl <preichl@redhat.com> 2015-02-18 01:03:40 -0500
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-03-04 11:06:42 +0100
commit: 7b6bd420977df4de406387b7541fda367b502cf2 (patch)
tree: ab991024e4d3cffeda4d18acc1ecd575d907c224 /src/man
parent: c3ee0dec4b6e54138225af722293b90cb900d41c (diff)
download: sssd-7b6bd420977df4de406387b7541fda367b502cf2.tar.gz
sssd-7b6bd420977df4de406387b7541fda367b502cf2.tar.xz
sssd-7b6bd420977df4de406387b7541fda367b502cf2.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 5b36f69a6..9fbc47487 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1959,6 +1959,33 @@ ldap_access_filter = (employeeType=admin)
                             ldap_account_expire_policy
                         </para>
                         <para>
+                            <emphasis>pwd_expire_policy_reject,
+                                      pwd_expire_policy_warn,
+                                      pwd_expire_policy_renew:
+                            </emphasis>
+                            These options are useful if users are interested
+                            in being warned that password is about to expire
+                            and authentication is based on using a different
+                            method than passwords - for example SSH keys.
+                       </para>
+                       <para>
+                            The difference between these options is the action
+                            taken if user password is expired:
+                            pwd_expire_policy_reject - user is denied to log in,
+                            pwd_expire_policy_warn - user is still able to log in,
+                            pwd_expire_policy_renew - user is prompted to change
+                            his password immediately.
+                        </para>
+                        <para>
+                            Note If user password is expired no explicit message
+                            is prompted by SSSD.
+                        </para>
+                        <para>
+                            Please note that 'access_provider = ldap' must
+                            be set for this feature to work. Also 'ldap_pwd_policy'
+                            must be set to an appropriate password policy.
+                        </para>
+                        <para>
                             <emphasis>authorized_service</emphasis>: use
                             the authorizedService attribute to determine
                             access
author	Pavel Reichl <preichl@redhat.com>	2015-02-18 01:03:40 -0500
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-03-04 11:06:42 +0100
commit	7b6bd420977df4de406387b7541fda367b502cf2 (patch)
tree	ab991024e4d3cffeda4d18acc1ecd575d907c224 /src/man
parent	c3ee0dec4b6e54138225af722293b90cb900d41c (diff)
download	sssd-7b6bd420977df4de406387b7541fda367b502cf2.tar.gz sssd-7b6bd420977df4de406387b7541fda367b502cf2.tar.xz sssd-7b6bd420977df4de406387b7541fda367b502cf2.zip