On Thu, Dec 02, 2010 at 09:00:37AM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 11/25/2010 08:25 AM, Sumit Bose wrote:
> these two patches aim to fix trac ticket #672. While the first patch
> only makes a utility function public the second adds some new layers to
> the LDAP access provider. I've tried to make the changes in a way to
> make it easy to add new rules (#670) and new expire policies (#673,
> #674, #690).
> I would like to ask the reviewers to check if the new code is really as
> flexible as I think and if it enough to evaluate the shadow expire
> attribute here. TIA
Patch 0001: Ack.
Patch 0002: Nack.
The manpage entry for ldap_account_expire_policy should list the valid
values for this option. The patch comment notes that this is only
"shadow" at present.
sssm_ldap_access_init() should throw an error (or at least warn and
ignore it) if we get a duplicate access rule. e.g.:
ldap_access_order = filter, filter
I prefer the error, because it might not be clear which order was
Please rename sdap_access_decide_offline(), sdap_access_retry(),
sdap_access_connect_done() and sdap_access_get_access_done() to be clear
that they apply to the access_filter.
I'm not sure we want to deny on a missing password expiration attribute.
Some users might be lacking this attribute with the intent that it means
"no expiration". Maybe we should add a strictness option here.
I checked you pam_ldap handles this. A missing attribute or a value of 0
means "no expiration".
next_access_rule() should probably return on PAM_ACCT_EXPIRED, not just
Thanks for the review, new version attached.
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
sssd-devel mailing list