From 108a49f0e816d95cf75a1e964f63b397e53c8b56 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Wed, 25 Mar 2015 05:03:12 -0400
Subject: LDAP: warn about lockout option being deprecated

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/man/sssd-ldap.5.xml          | 7 +++++++
 src/providers/ldap/sdap_access.c | 9 ++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 9756a554..1b7a2609 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1962,6 +1962,13 @@ ldap_access_filter = (employeeType=admin)
                             Please note that 'access_provider = ldap' must
                             be set for this feature to work.
                         </para>
+                        <para>
+                            <emphasis>
+                            Please note that this option is superseded by
+                            the <quote>ppolicy</quote> option and might be
+                            removed in a future release.
+                            </emphasis>
+                        </para>
                         <para>
                             <emphasis>ppolicy</emphasis>: use account locking.
                             If set, this option denies access in case that ldap
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 474cbb7e..3ef45b71 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -212,7 +212,13 @@ static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state,
             /* we are done with no errors */
             return EOK;
 
+        /* This option is deprecated by LDAP_ACCESS_PPOLICY */
         case LDAP_ACCESS_LOCKOUT:
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "WARNING: %s option is deprecated and might be removed in "
+                  "a future release. Please migrate to %s option instead.\n",
+                  LDAP_ACCESS_LOCK_NAME, LDAP_ACCESS_PPOLICY_NAME);
+
             subreq = sdap_access_ppolicy_send(state, state->ev, state->be_ctx,
                                               state->domain,
                                               state->access_ctx,
@@ -221,7 +227,8 @@ static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state,
                                               state->user_entry,
                                               PWP_LOCKOUT_ONLY);
             if (subreq == NULL) {
-                DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_ppolicy_send failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "sdap_access_ppolicy_send failed.\n");
                 return ENOMEM;
             }
 
-- 
cgit