SDAP: enable change phase of pw expire policy check

Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit c9b0071bfcb8eb8c71e40248de46d23aceecc0f3)
author: Pavel Reichl <preichl@redhat.com> 2015-02-18 01:03:40 -0500
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-03-03 18:51:30 +0100
commit: d3f82e944dc5dab3812700a245deec4aa3245b21 (patch)
tree: 990e5b3d9bc431c6e182fec2b76d64d6484289e4 /src/man
parent: 8b353dd2b90b7ab222acdea726ab7e8681752237 (diff)
download: sssd-d3f82e944dc5dab3812700a245deec4aa3245b21.tar.gz
sssd-d3f82e944dc5dab3812700a245deec4aa3245b21.tar.xz
sssd-d3f82e944dc5dab3812700a245deec4aa3245b21.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 5b36f69a6..9fbc47487 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1959,6 +1959,33 @@ ldap_access_filter = (employeeType=admin)
                             ldap_account_expire_policy
                         </para>
                         <para>
+                            <emphasis>pwd_expire_policy_reject,
+                                      pwd_expire_policy_warn,
+                                      pwd_expire_policy_renew:
+                            </emphasis>
+                            These options are useful if users are interested
+                            in being warned that password is about to expire
+                            and authentication is based on using a different
+                            method than passwords - for example SSH keys.
+                       </para>
+                       <para>
+                            The difference between these options is the action
+                            taken if user password is expired:
+                            pwd_expire_policy_reject - user is denied to log in,
+                            pwd_expire_policy_warn - user is still able to log in,
+                            pwd_expire_policy_renew - user is prompted to change
+                            his password immediately.
+                        </para>
+                        <para>
+                            Note If user password is expired no explicit message
+                            is prompted by SSSD.
+                        </para>
+                        <para>
+                            Please note that 'access_provider = ldap' must
+                            be set for this feature to work. Also 'ldap_pwd_policy'
+                            must be set to an appropriate password policy.
+                        </para>
+                        <para>
                             <emphasis>authorized_service</emphasis>: use
                             the authorizedService attribute to determine
                             access
author	Pavel Reichl <preichl@redhat.com>	2015-02-18 01:03:40 -0500
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-03-03 18:51:30 +0100
commit	d3f82e944dc5dab3812700a245deec4aa3245b21 (patch)
tree	990e5b3d9bc431c6e182fec2b76d64d6484289e4 /src/man
parent	8b353dd2b90b7ab222acdea726ab7e8681752237 (diff)
download	sssd-d3f82e944dc5dab3812700a245deec4aa3245b21.tar.gz sssd-d3f82e944dc5dab3812700a245deec4aa3245b21.tar.xz sssd-d3f82e944dc5dab3812700a245deec4aa3245b21.zip