From d05c149a70fedcd6bb9932b6dc1bf0bcff350006 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Fri, 1 Aug 2014 17:04:55 +0100
Subject: MAN: options 'lockout' and 'ldap_pwdlockout_dn'

Resolves:
https://fedorahosted.org/sssd/ticket/2364
---
 src/man/sssd-ldap.5.xml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index c808033a1..ecbf2f54c 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1906,6 +1906,13 @@ ldap_access_filter = (employeeType=admin)
                         <para>
                             <emphasis>filter</emphasis>: use ldap_access_filter
                         </para>
+                        <para>
+                            <emphasis>lockout</emphasis>: use account locking.
+                            If set, this option denies access in case that ldap
+                            attribute 'pwdAccountLockedTime' is present and has
+                            value of '000001010000Z'. Please see the option
+                            ldap_pwdlockout_dn.
+                        </para>
                         <para>
                             <emphasis>expire</emphasis>: use
                             ldap_account_expire_policy
@@ -1929,6 +1936,26 @@ ldap_access_filter = (employeeType=admin)
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_pwdlockout_dn (string)</term>
+                    <listitem>
+                        <para>
+                           This option specifies the DN of password policy entry
+                           on LDAP server. Please note that absence of this
+                           option in sssd.conf in case of enabled account
+                           lockout checking will yield access denied as
+                           ppolicy attributes on LDAP server cannot be checked
+                           properly.
+                        </para>
+                        <para>
+                          Example: cn=ppolicy,ou=policies,dc=example,dc=com
+                        </para>
+                        <para>
+                          Default: cn=ppolicy,ou=policies,$ldap_search_base
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>ldap_deref (string)</term>
                     <listitem>
-- 
cgit