| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.
Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.
------------------------------------------------------------------------
Quotation from man slapo-ppolicy:
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------
Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}
Resolves:
https://fedorahosted.org/sssd/ticket/2364
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
|
|
|
|
| |
Also simplify sdap_access_send to avoid completely fake _send() routines.
|
| |
|
| |
|
|
|
|
| |
We want to consume this in the IPA provider.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/746
|
|
|
|
|
| |
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
|
|
|
|
| |
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/670
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
|
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|