From 32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 22 Nov 2010 14:24:23 +0100
Subject: Add new account expired rule to LDAP access provider

Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.

'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.

'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
---
 src/man/sssd-ldap.5.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 54 insertions(+), 1 deletion(-)

(limited to 'src/man')

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index cf6747e73..8936882c8 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -370,7 +370,8 @@
                     <term>ldap_user_shadow_expire (string)</term>
                     <listitem>
                         <para>
-                            When using ldap_pwd_policy=shadow, this parameter
+                            When using ldap_pwd_policy=shadow or
+                            ldap_account_expire_policy=shadow, this parameter
                             contains the name of an LDAP attribute corresponding
                             to its
                             <citerefentry>
@@ -1025,6 +1026,58 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_account_expire_policy (string)</term>
+                    <listitem>
+                        <para>
+                            With this option a client side evaluation of
+                            access control attributes can be enabled.
+                        </para>
+                        <para>
+                            Please note that it is always recommended to
+                            use server side access control, i.e. the LDAP
+                            server should deny the bind request with a
+                            suitable error code even if the password is
+                            correct.
+                        </para>
+                        <para>
+                            The following values are allowed:
+                        </para>
+                        <para>
+                            <emphasis>shadow</emphasis>: use the value of
+                            ldap_user_shadow_expire to determine if the account
+                            is expired.
+                        </para>
+                        <para>
+                            Default: Empty
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>ldap_access_order (string)</term>
+                    <listitem>
+                        <para>
+                            Comma separated list of access control options.
+                            Allowed values are:
+                        </para>
+                        <para>
+                            <emphasis>filter</emphasis>: use ldap_access_filter
+                        </para>
+                        <para>
+                            <emphasis>expire</emphasis>: use
+                            ldap_account_expire_policy
+                        </para>
+                        <para>
+                            Default: filter
+                        </para>
+                        <para>
+                             Please note that it is a configuration error if a
+                             value is used more than once.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>ldap_deref (string)</term>
                     <listitem>
-- 
cgit