| dea636af4d1902a081ee891f1b19ee2f8729d759 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
DP: Switch to new interface
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
| cc2d77d5218c188119fa954c856e858cbde76947 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
Rename dp_backend.h to backend.h
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
| 13ec767e6ca3e435e119f1f07bda10eb213383f6 |
|
05-Mar-2015 |
Pavel Reichl <preichl@redhat.com> |
SDAP: Lock out ssh keys when account naturally expires
Resolves:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
| c9b0071bfcb8eb8c71e40248de46d23aceecc0f3 |
|
03-Mar-2015 |
Pavel Reichl <preichl@redhat.com> |
SDAP: enable change phase of pw expire policy check
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com> |
| 2a91d3dd0ce4387332db27bd1a0c0005c74f870e |
|
27-Aug-2014 |
Pavel Reichl <preichl@redhat.com> |
SDAP: account lockout to restrict access via ssh key
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.
Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.
------------------------------------------------------------------------
Quotation from man slapo-ppolicy:
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------
Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}
Resolves:
https://fedorahosted.org/sssd/ticket/2364
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
| 443eb8217741df57d9f58f2098487b91e3404e71 |
|
25-Oct-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Amend sdap_access_check to allow any connection
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself. |
| dfd71fc92db940b2892cc996911cec03d7b6c52b |
|
19-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Convert sdap_access to new error codes
Also simplify sdap_access_send to avoid completely fake _send() routines. |
| 249a28dbf31e11794c7f35d709c5561c1555898d |
|
21-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Pass domain not be_req to access check functions |
| a0f186208e39a88b9e18d875121c5032531e7705 |
|
24-Apr-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Accept be_req instead if be_ctx in LDAP access provider |
| 8372129f446e1558f1923a112f328a266144c3ce |
|
09-Mar-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Make sdap_access_send/recv public
We want to consume this in the IPA provider. |
| da9a05bdbff6d89569a80f12b864b5bcb6b70d09 |
|
02-Nov-2011 |
Jan Zeleny <jzeleny@redhat.com> |
Cleanup of unused function in ldap access provider |
| 37e7e93f1996cf50677cf59fd8af6938dd5d85b2 |
|
08-Jul-2011 |
Sumit Bose <sbose@redhat.com> |
Add LDAP access control based on NDS attributes |
| 3612c73e7957721bcbf31d0118e2ac210eb46b88 |
|
24-Mar-2011 |
Pierre Ossman <pierre@ossman.eu> |
Add host access control support
https://fedorahosted.org/sssd/ticket/746 |
| d73fcc5183a676aed4fd040714b87274248b784c |
|
19-Jan-2011 |
Sumit Bose <sbose@redhat.com> |
Add LDAP expire policy base RHDS/IPA attribute
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked. |
| 22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 |
|
19-Jan-2011 |
Sumit Bose <sbose@redhat.com> |
Add LDAP expire policy based on AD attributes
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired. |
| 2a2f642aae37e3f41cbbda162a74c2b946a4521f |
|
21-Dec-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Add authorizedService support
https://fedorahosted.org/sssd/ticket/670 |
| 32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a |
|
06-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Add new account expired rule to LDAP access provider
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute. |
| 35480afaefafb77b28d35b29039989ab888aafe9 |
|
27-May-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Add ldap_access_filter option
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com |