Add new account expired rule to LDAP access provider

Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.

'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.

'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.

1 files changed, 14 insertions, 1 deletions

diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h
index 5dbe86461..9b8e45bdd 100644
--- a/src/providers/ldap/sdap_access.h
+++ b/src/providers/ldap/sdap_access.h
@@ -27,11 +27,24 @@
 
 #include "providers/dp_backend.h"
 
-#define SYSDB_LDAP_ACCESS "ldap_access_allow"
+#define SYSDB_LDAP_ACCESS_FILTER "ldap_access_filter_allow"
+
+#define LDAP_ACCESS_FILTER_NAME "filter"
+#define LDAP_ACCESS_EXPIRE_NAME "expire"
+
+#define LDAP_ACCOUNT_EXPIRE_SHADOW "shadow"
+
+enum ldap_access_rule {
+    LDAP_ACCESS_EMPTY = -1,
+    LDAP_ACCESS_FILTER = 0,
+    LDAP_ACCESS_EXPIRE,
+    LDAP_ACCESS_LAST
+};
 
 struct sdap_access_ctx {
     struct sdap_id_ctx *id_ctx;
     const char *filter;
+    int access_rule[LDAP_ACCESS_LAST + 1];
 };
 
 void ldap_pam_access_handler(struct be_req *breq);