Add LDAP expire policy based on AD attributes

The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.
author: Sumit Bose <sbose@redhat.com> 2010-12-21 13:30:33 +0100
committer: Stephen Gallagher <sgallagh@redhat.com> 2011-01-19 09:53:20 -0500
commit: 22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 (patch)
tree: fb69e82eea580199f7919ecf02a83b3339b8dbcc /src/man
parent: 5352c9b3609bca63814f9f6f03dbbbadf6c6333a (diff)
download: sssd-22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18.tar.gz
sssd-22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18.tar.xz
sssd-22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18.zip
1 files changed, 35 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 175ec3568..65c679d61 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -436,6 +436,34 @@
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ldap_user_ad_account_expires (string)</term>
+                    <listitem>
+                        <para>
+                            When using ldap_account_expire_policy=ad, this
+                            parameter contains the name of an LDAP attribute
+                            storing the expiration time of the account.
+                        </para>
+                        <para>
+                            Default: accountExpires
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>ldap_user_ad_user_account_control (string)</term>
+                    <listitem>
+                        <para>
+                            When using ldap_account_expire_policy=ad, this
+                            parameter contains the name of an LDAP attribute
+                            storing the user account control bit field.
+                        </para>
+                        <para>
+                            Default: userAccountControl
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
                     <term>ldap_user_principal (string)</term>
                     <listitem>
                         <para>
@@ -1128,6 +1156,13 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
                             is expired.
                         </para>
                         <para>
+                            <emphasis>ad</emphasis>: use the value of the 32bit
+                            field ldap_user_ad_user_account_control and allow
+                            access if the second bit is not set. If the
+                            attribute is missing access is granted. Also the
+                            expiration time of the account is checked.
+                        </para>
+                        <para>
                             Default: Empty
                         </para>
                     </listitem>
author	Sumit Bose <sbose@redhat.com>	2010-12-21 13:30:33 +0100
committer	Stephen Gallagher <sgallagh@redhat.com>	2011-01-19 09:53:20 -0500
commit	22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 (patch)
tree	fb69e82eea580199f7919ecf02a83b3339b8dbcc /src/man
parent	5352c9b3609bca63814f9f6f03dbbbadf6c6333a (diff)
download	sssd-22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18.tar.gz sssd-22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18.tar.xz sssd-22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18.zip