From 32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 22 Nov 2010 14:24:23 +0100 Subject: Add new account expired rule to LDAP access provider Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute. --- src/providers/ipa/ipa_common.c | 4 +++- src/providers/ipa/ipa_common.h | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'src/providers/ipa') diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 786be8339..320587723 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -77,7 +77,9 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }, - { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_account_expire_policy", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_access_order", DP_OPT_STRING, NULL_STRING, NULL_STRING } }; struct sdap_attr_map ipa_attr_map[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index f0d4ad8c9..0082b0659 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 39 +#define IPA_OPTS_BASIC_TEST 41 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly -- cgit