From bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzeleny@redhat.com>
Date: Tue, 1 May 2012 03:36:37 -0400
Subject: Modify behavior of pam_pwd_expiration_warning

New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.

If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.

Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter

Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
---
 src/config/etc/sssd.api.conf | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/config')

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index a7bece99..a5fdbffb 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -89,6 +89,7 @@ use_fully_qualified_names = bool, None, false
 entry_cache_timeout = int, None, false
 lookup_family_order = str, None, false
 account_cache_expiration = int, None, false
+pwd_expiration_warning = int, None, false
 filter_users = list, str, false
 filter_groups = list, str, false
 dns_resolver_timeout = int, None, false
-- 
cgit