diff options
author | Pavel Reichl <preichl@redhat.com> | 2014-08-01 17:44:24 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-08-27 14:25:08 +0200 |
commit | 2a91d3dd0ce4387332db27bd1a0c0005c74f870e (patch) | |
tree | 5f76c5599628d82169d0bcffc94de259f210c279 /src/providers/ldap/sdap_access.h | |
parent | 5668d294a39326f7024cbf24333e33ee970caf2d (diff) | |
download | sssd-2a91d3dd0ce4387332db27bd1a0c0005c74f870e.tar.gz sssd-2a91d3dd0ce4387332db27bd1a0c0005c74f870e.tar.xz sssd-2a91d3dd0ce4387332db27bd1a0c0005c74f870e.zip |
SDAP: account lockout to restrict access via ssh key
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.
Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.
------------------------------------------------------------------------
Quotation from man slapo-ppolicy:
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------
Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}
Resolves:
https://fedorahosted.org/sssd/ticket/2364
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/providers/ldap/sdap_access.h')
-rw-r--r-- | src/providers/ldap/sdap_access.h | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h index 30097e21f..f085e6199 100644 --- a/src/providers/ldap/sdap_access.h +++ b/src/providers/ldap/sdap_access.h @@ -28,12 +28,20 @@ #include "providers/dp_backend.h" #include "providers/ldap/ldap_common.h" +/* Attributes in sysdb, used for caching last values of lockout or filter + * access control checks. + */ #define SYSDB_LDAP_ACCESS_FILTER "ldap_access_filter_allow" +#define SYSDB_LDAP_ACCESS_CACHED_LOCKOUT "ldap_access_lockout_allow" +/* names of ppolicy attributes */ +#define SYSDB_LDAP_ACCESS_LOCKED_TIME "pwdAccountLockedTime" +#define SYSDB_LDAP_ACCESS_LOCKOUT "pwdLockout" #define LDAP_ACCESS_FILTER_NAME "filter" #define LDAP_ACCESS_EXPIRE_NAME "expire" #define LDAP_ACCESS_SERVICE_NAME "authorized_service" #define LDAP_ACCESS_HOST_NAME "host" +#define LDAP_ACCESS_LOCK_NAME "lockout" #define LDAP_ACCOUNT_EXPIRE_SHADOW "shadow" #define LDAP_ACCOUNT_EXPIRE_AD "ad" @@ -48,6 +56,7 @@ enum ldap_access_rule { LDAP_ACCESS_EXPIRE, LDAP_ACCESS_SERVICE, LDAP_ACCESS_HOST, + LDAP_ACCESS_LOCKOUT, LDAP_ACCESS_LAST }; |