History log of /sssd-io/src/providers/ldap/sdap_access.h
Revision Date Author Comments Expand
f34a8330c1615511795847b0a1454249d782db2a 19-Oct-2017 Alexey Kamenskiy <alexey.kamenskiy@chinanetcloud.com>

LDAP: Add support for rhost access control This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
dea636af4d1902a081ee891f1b19ee2f8729d759 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd-io/Makefile.am /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_access.h /sssd-io/src/providers/ad/ad_autofs.c /sssd-io/src/providers/ad/ad_common.h /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_id.h /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/ad/ad_subdomains.h /sssd-io/src/providers/ad/ad_sudo.c /sssd-io/src/providers/backend.h /sssd-io/src/providers/data_provider/dp_custom_data.h /sssd-io/src/providers/data_provider/dp_iface.c /sssd-io/src/providers/data_provider/dp_iface.h /sssd-io/src/providers/data_provider/dp_target_auth.c /sssd-io/src/providers/data_provider/dp_target_autofs.c /sssd-io/src/providers/data_provider/dp_target_hostid.c /sssd-io/src/providers/data_provider/dp_target_id.c /sssd-io/src/providers/data_provider/dp_target_subdomains.c /sssd-io/src/providers/data_provider/dp_target_sudo.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_req.c /sssd-io/src/providers/data_provider_req.h /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_access.h /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_auth.h /sssd-io/src/providers/ipa/ipa_autofs.c /sssd-io/src/providers/ipa/ipa_common.h /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_hostid.h /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_id.h /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux.h /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains.h /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/ipa/ipa_subdomains_server.c /sssd-io/src/providers/ipa/ipa_sudo.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_common.h /sssd-io/src/providers/krb5/krb5_init.c ldap_access.c ldap_auth.c ldap_common.c ldap_common.h ldap_id.c ldap_init.c sdap_access.h sdap_autofs.c sdap_autofs.h sdap_idmap.c sdap_online_check.c sdap_sudo.c sdap_sudo.h /sssd-io/src/providers/proxy/proxy.h /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_client.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/tests/cmocka/test_nested_groups.c /sssd-io/src/tests/simple_access-tests.c
cc2d77d5218c188119fa954c856e858cbde76947 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd-io/Makefile.am /sssd-io/src/p11_child/p11_child_nss.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_gpo.c /sssd-io/src/providers/ad/ad_gpo_child.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.h /sssd-io/src/providers/backend.h /sssd-io/src/providers/be_dyndns.c /sssd-io/src/providers/be_ptask.c /sssd-io/src/providers/be_refresh.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/ipa/ipa_auth.h /sssd-io/src/providers/ipa/ipa_dyndns.h /sssd-io/src/providers/ipa/ipa_subdomains.h /sssd-io/src/providers/ipa/selinux_child.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_common.h ldap_access.c ldap_child.c ldap_common.h sdap.h sdap_access.c sdap_access.h sdap_async.h sdap_async_sudo.c sdap_autofs.c sdap_dyndns.c sdap_dyndns.h sdap_sudo.c sdap_sudo.h sdap_sudo_shared.h /sssd-io/src/providers/proxy/proxy.h /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/tests/cmocka/test_be_ptask.c /sssd-io/src/tests/cmocka/test_data_provider_be.c
13ec767e6ca3e435e119f1f07bda10eb213383f6 05-Mar-2015 Pavel Reichl <preichl@redhat.com>

SDAP: Lock out ssh keys when account naturally expires Resolves: https://fedorahosted.org/sssd/ticket/2534 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
c9b0071bfcb8eb8c71e40248de46d23aceecc0f3 03-Mar-2015 Pavel Reichl <preichl@redhat.com>

SDAP: enable change phase of pw expire policy check Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>
2a91d3dd0ce4387332db27bd1a0c0005c74f870e 27-Aug-2014 Pavel Reichl <preichl@redhat.com>

SDAP: account lockout to restrict access via ssh key Be able to configure sssd to honor openldap account lock to restrict access via ssh key. Introduce new ldap_access_order value ('lock') for enabling/disabling this feature. Account is considered locked if pwdAccountLockedTime attribut has value of 000001010000Z. ------------------------------------------------------------------------ Quotation from man slapo-ppolicy: pwdAccountLockedTime This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. Note that account locking only takes effect when the pwdLockout password policy attribute is set to "TRUE". ------------------------------------------------------------------------ Also set default value for sdap_pwdlockout_dn to cn=ppolicy,ou=policies,${search_base} Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
443eb8217741df57d9f58f2098487b91e3404e71 25-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Amend sdap_access_check to allow any connection Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
dfd71fc92db940b2892cc996911cec03d7b6c52b 19-Mar-2013 Simo Sorce <simo@redhat.com>

Convert sdap_access to new error codes Also simplify sdap_access_send to avoid completely fake _send() routines.
249a28dbf31e11794c7f35d709c5561c1555898d 21-Jan-2013 Simo Sorce <simo@redhat.com>

Pass domain not be_req to access check functions
a0f186208e39a88b9e18d875121c5032531e7705 24-Apr-2012 Jan Zeleny <jzeleny@redhat.com>

Accept be_req instead if be_ctx in LDAP access provider
8372129f446e1558f1923a112f328a266144c3ce 09-Mar-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Make sdap_access_send/recv public We want to consume this in the IPA provider.
da9a05bdbff6d89569a80f12b864b5bcb6b70d09 02-Nov-2011 Jan Zeleny <jzeleny@redhat.com>

Cleanup of unused function in ldap access provider
37e7e93f1996cf50677cf59fd8af6938dd5d85b2 08-Jul-2011 Sumit Bose <sbose@redhat.com>

Add LDAP access control based on NDS attributes
3612c73e7957721bcbf31d0118e2ac210eb46b88 24-Mar-2011 Pierre Ossman <pierre@ossman.eu>

Add host access control support https://fedorahosted.org/sssd/ticket/746
d73fcc5183a676aed4fd040714b87274248b784c 19-Jan-2011 Sumit Bose <sbose@redhat.com>

Add LDAP expire policy base RHDS/IPA attribute The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.
22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 19-Jan-2011 Sumit Bose <sbose@redhat.com>

Add LDAP expire policy based on AD attributes The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.
2a2f642aae37e3f41cbbda162a74c2b946a4521f 21-Dec-2010 Stephen Gallagher <sgallagh@redhat.com>

Add authorizedService support https://fedorahosted.org/sssd/ticket/670
32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a 06-Dec-2010 Sumit Bose <sbose@redhat.com>

Add new account expired rule to LDAP access provider Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.
35480afaefafb77b28d35b29039989ab888aafe9 27-May-2010 Stephen Gallagher <sgallagh@redhat.com>

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com