Here is a patch for sssd-ldap man page changes, add 'access_provider = ldap' as a requirement 'ldap_access_order = for lockout'
https://fedorahosted.org/sssd/ticket/2451
Added a line in the notes and a full example at the bottom.
On Thu, Oct 09, 2014 at 09:38:54AM -0400, Dan Lavu wrote:
https://fedorahosted.org/sssd/ticket/2451
Added a line in the notes and a full example at the bottom.
From 7678b7919e8f06176082d506885b8f85c4120c93 Mon Sep 17 00:00:00 2001 From: Dan Lavu dlavu@redhat.com Date: Thu, 9 Oct 2014 08:56:35 -0400 Subject: [PATCH] Updated the sssd-ldap man page.
To address https://fedorahosted.org/sssd/ticket/2451 , added a note to the section and a full configuration example at the bottom of the man page.
src/man/sssd-ldap.5.xml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 03ea7948b69ed28945fc614eee5c47195cd85937..15902aa9fd94c21d01db7fbce5699b6afb761be5 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1941,7 +1941,8 @@ ldap_access_filter = (employeeType=admin) </para> <para> Please note that it is a configuration error if a
value is used more than once.
value is used more than once or 'access_provider = ldap'is not used. </para> </listitem> </varlistentry>@@ -2491,6 +2492,27 @@ ldap_access_filter = (employeeType=admin)
</programlisting> </para> </refsect1> + <refsect1 id='ldap_access_filter example'>
I don't think you can use a space in the id element. With this patch, I get a build error: /home/remote/jhrozek/devel/sssd/src/man/sssd-ldap.5.xml:2495: element refsect1: validity error : Syntax of value for attribute id of refsect1 is not valid
<title>LDAP ACCESS FILTER EXAMPLE</title><para>The following example assumes that SSSD is correctlyconfigured and to use the ldap_access_order=lockout.</para><para>+<programlisting>
- [domain/LDAP]
- id_provider = ldap
- auth_provider = ldap
- access_provider = ldap
- ldap_Access_order = lockout
A really minor issue, but I'd prefer if all parameters were lowercase. OK if I squash in this single change and push?
- ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=example,dc=com
- ldap_uri = ldap://ldap.mydomain.org
- ldap_search_base = dc=mydomain,dc=org
- ldap_tls_reqcert = demand
- cache_credentials = true
+</programlisting>
</para></refsect1>
<refsect1 id='notes'> <title>NOTES</title>
-- 1.9.3
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Jakub,
It's fine, I just noticed something else that needs to change too. So here's an update and the parameter cases squashed. I'll make sure I can compile the build next time before committing.
From 08e0255977e008807a0ff2b34bf10ca5c61ee89f Mon Sep 17 00:00:00 2001
From: Dan Lavu dlavu@redhat.com Date: Thu, 9 Oct 2014 08:56:35 -0400 Subject: [PATCH] Updated the sssd-ldap man page.
To address https://fedorahosted.org/sssd/ticket/2451 , added a note to the section and a full configuration example at the bottom of the man page. --- src/man/sssd-ldap.5.xml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 03ea7948b69ed28945fc614eee5c47195cd85937..32c4cf86b71c8e75d1d754f870f44239fc24cd2d 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1941,7 +1941,8 @@ ldap_access_filter = (employeeType=admin) </para> <para> Please note that it is a configuration error if a - value is used more than once. + value is used more than once or 'access_provider = ldap' + is not used. </para> </listitem> </varlistentry> @@ -2491,6 +2492,27 @@ ldap_access_filter = (employeeType=admin) </programlisting> </para> </refsect1> + <refsect1 id='ldap_access_filter_example'> + <title>LDAP ACCESS FILTER EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and to use the ldap_access_order=lockout. + </para> + <para> +<programlisting> + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + access_provider = ldap + ldap_access_order = lockout + ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org + ldap_uri = ldap://ldap.mydomain.org + ldap_search_base = dc=mydomain,dc=org + ldap_tls_reqcert = demand + cache_credentials = true +</programlisting> + </para> + </refsect1>
<refsect1 id='notes'> <title>NOTES</title>
On Thu, Oct 09, 2014 at 11:58:22AM -0400, Dan Lavu wrote:
Jakub,
It's fine, I just noticed something else that needs to change too. So here's an update and the parameter cases squashed. I'll make sure I can compile the build next time before committing.
I can't apply this patch on top of origin/master...
Do you maybe need to rebase ? Can you attach a git-formatted version?
I had a merge issue, so I just redid the patch (with some minor changes) after a rebase, so it should be good now?
----- Original Message -----
From: "Jakub Hrozek" jhrozek@redhat.com To: sssd-devel@lists.fedorahosted.org Sent: Sunday, October 12, 2014 12:08:49 PM Subject: Re: [SSSD] Here is a patch for sssd-ldap man page changes, add 'access_provider = ldap' as a requirement 'ldap_access_order = for lockout'
On Thu, Oct 09, 2014 at 11:58:22AM -0400, Dan Lavu wrote:
Jakub,
It's fine, I just noticed something else that needs to change too. So here's an update and the parameter cases squashed. I'll make sure I can compile the build next time before committing.
I can't apply this patch on top of origin/master...
Do you maybe need to rebase ? Can you attach a git-formatted version? _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Mon, Oct 13, 2014 at 03:36:54PM -0400, Dan Lavu wrote:
I had a merge issue, so I just redid the patch (with some minor changes) after a rebase, so it should be good now?
There are two typos, see inline. After fixing these, I'll ACK :-)
From 61b96bb58b0a6e078708c45794c1067d1be2d133 Mon Sep 17 00:00:00 2001 From: Dan Lavu dlavu@redhat.com Date: Mon, 13 Oct 2014 15:06:53 -0400 Subject: [PATCH] MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
Added a configuration example at the bottom for 'ldap_access_order = lockout'. Also added a line to note that 'ldap_access_provider = ldap' must be specified for this feature to work.
src/man/sssd-ldap.5.xml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 03ea7948b69ed28945fc614eee5c47195cd85937..b5e971fd036cbb0e89b821b267551196edfcd4e7 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1921,7 +1921,10 @@ ldap_access_filter = (employeeType=admin) If set, this option denies access in case that ldap attribute 'pwdAccountLockedTime' is present and has value of '000001010000Z'. Please see the option
ldap_pwdlockout_dn.
ldap_pwdlockout_dn.Please note that 'ldap_access_provider = ldap' must
The option is called just 'access_provider', not 'ldap_access_provider'.
be set for this feature to work. </para> <para> <emphasis>expire</emphasis>: use@@ -2491,6 +2494,27 @@ ldap_access_filter = (employeeType=admin)
</programlisting> </para> </refsect1> + <refsect1 id='ldap_access_filter_example'> + <title>LDAP ACCESS FILTER EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and to use the ldap_access_order=lockout. + </para> + <para> +<programlisting> + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + access_provider = ldap + ldap_Access_order = lockout
The options in SSSD are all lowercased, so this one should read: ldap_access_order
- ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org
- ldap_uri = ldap://ldap.mydomain.org
- ldap_search_base = dc=mydomain,dc=org
- ldap_tls_reqcert = demand
- cache_credentials = true
+</programlisting>
</para></refsect1>
<refsect1 id='notes'> <title>NOTES</title>
-- 1.9.3 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Here you go, sorry for all the little errors, I'm still new to this.
On Tue, Oct 14, 2014 at 8:38 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Oct 13, 2014 at 03:36:54PM -0400, Dan Lavu wrote:
I had a merge issue, so I just redid the patch (with some minor changes)
after a rebase, so it should be good now?
There are two typos, see inline. After fixing these, I'll ACK :-)
From 61b96bb58b0a6e078708c45794c1067d1be2d133 Mon Sep 17 00:00:00 2001 From: Dan Lavu dlavu@redhat.com Date: Mon, 13 Oct 2014 15:06:53 -0400 Subject: [PATCH] MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
Added a configuration example at the bottom for 'ldap_access_order = lockout'. Also added a line to note that 'ldap_access_provider = ldap' must be specified for this feature to work.
src/man/sssd-ldap.5.xml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index
03ea7948b69ed28945fc614eee5c47195cd85937..b5e971fd036cbb0e89b821b267551196edfcd4e7 100644
--- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1921,7 +1921,10 @@ ldap_access_filter = (employeeType=admin) If set, this option denies access in case
that ldap
attribute 'pwdAccountLockedTime' is presentand has
value of '000001010000Z'. Please see theoption
ldap_pwdlockout_dn.
ldap_pwdlockout_dn.Please note that 'ldap_access_provider =ldap' must
The option is called just 'access_provider', not 'ldap_access_provider'.
be set for this feature to work. </para> <para> <emphasis>expire</emphasis>: use@@ -2491,6 +2494,27 @@ ldap_access_filter = (employeeType=admin)
</programlisting> </para> </refsect1> + <refsect1 id='ldap_access_filter_example'> + <title>LDAP ACCESS FILTER EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and to use the ldap_access_order=lockout. + </para> + <para> +<programlisting> + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + access_provider = ldap + ldap_Access_order = lockout
The options in SSSD are all lowercased, so this one should read: ldap_access_order
- ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org
- ldap_uri = ldap://ldap.mydomain.org
- ldap_search_base = dc=mydomain,dc=org
- ldap_tls_reqcert = demand
- cache_credentials = true
+</programlisting>
</para></refsect1>
<refsect1 id='notes'> <title>NOTES</title>
-- 1.9.3 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Wed, Oct 15, 2014 at 09:30:50AM -0400, Dan Lavu wrote:
Here you go, sorry for all the little errors, I'm still new to this.
Sorry for the delay in the review..
ACK!
On Tue, Oct 14, 2014 at 8:38 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Oct 13, 2014 at 03:36:54PM -0400, Dan Lavu wrote:
I had a merge issue, so I just redid the patch (with some minor changes)
after a rebase, so it should be good now?
There are two typos, see inline. After fixing these, I'll ACK :-)
From 61b96bb58b0a6e078708c45794c1067d1be2d133 Mon Sep 17 00:00:00 2001 From: Dan Lavu dlavu@redhat.com Date: Mon, 13 Oct 2014 15:06:53 -0400 Subject: [PATCH] MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
Added a configuration example at the bottom for 'ldap_access_order = lockout'. Also added a line to note that 'ldap_access_provider = ldap' must be specified for this feature to work.
src/man/sssd-ldap.5.xml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index
03ea7948b69ed28945fc614eee5c47195cd85937..b5e971fd036cbb0e89b821b267551196edfcd4e7 100644
--- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1921,7 +1921,10 @@ ldap_access_filter = (employeeType=admin) If set, this option denies access in case
that ldap
attribute 'pwdAccountLockedTime' is presentand has
value of '000001010000Z'. Please see theoption
ldap_pwdlockout_dn.
ldap_pwdlockout_dn.Please note that 'ldap_access_provider =ldap' must
The option is called just 'access_provider', not 'ldap_access_provider'.
be set for this feature to work. </para> <para> <emphasis>expire</emphasis>: use@@ -2491,6 +2494,27 @@ ldap_access_filter = (employeeType=admin)
</programlisting> </para> </refsect1> + <refsect1 id='ldap_access_filter_example'> + <title>LDAP ACCESS FILTER EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and to use the ldap_access_order=lockout. + </para> + <para> +<programlisting> + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + access_provider = ldap + ldap_Access_order = lockout
The options in SSSD are all lowercased, so this one should read: ldap_access_order
- ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org
- ldap_uri = ldap://ldap.mydomain.org
- ldap_search_base = dc=mydomain,dc=org
- ldap_tls_reqcert = demand
- cache_credentials = true
+</programlisting>
</para></refsect1>
<refsect1 id='notes'> <title>NOTES</title>
-- 1.9.3 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
From 1c629f2da937be8bba111e76bfd10626fe0c86c0 Mon Sep 17 00:00:00 2001 From: Dan Lavu dlavu@redhat.com Date: Mon, 13 Oct 2014 15:06:53 -0400 Subject: [PATCH] MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
Added a configuration example at the bottom for 'ldap_access_order = lockout'. Also added a line to note that 'ldap_access_provider = ldap' must be specified for this feature to work.
src/man/sssd-ldap.5.xml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 03ea7948b69ed28945fc614eee5c47195cd85937..3f7d07a8cf668eb54bfc10139813d09f1cc61e11 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1449,7 +1449,7 @@ <listitem> <para> Specifies acceptable cipher suites. Typically this
is a colon sperated list. See
is a colon sperated list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for format. </para>@@ -1922,6 +1922,9 @@ ldap_access_filter = (employeeType=admin) attribute 'pwdAccountLockedTime' is present and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn.
Please note that 'access_provider = ldap' mustbe set for this feature to work. </para> <para> <emphasis>expire</emphasis>: use@@ -2491,6 +2494,27 @@ ldap_access_filter = (employeeType=admin)
</programlisting> </para> </refsect1> + <refsect1 id='ldap_access_filter_example'> + <title>LDAP ACCESS FILTER EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and to use the ldap_access_order=lockout. + </para> + <para> +<programlisting> + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + access_provider = ldap + ldap_access_order = lockout + ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org + ldap_uri = ldap://ldap.mydomain.org + ldap_search_base = dc=mydomain,dc=org + ldap_tls_reqcert = demand + cache_credentials = true +</programlisting> + </para> + </refsect1>
<refsect1 id='notes'> <title>NOTES</title>-- 1.9.3
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Wed, Oct 22, 2014 at 04:26:47PM +0200, Jakub Hrozek wrote:
On Wed, Oct 15, 2014 at 09:30:50AM -0400, Dan Lavu wrote:
Here you go, sorry for all the little errors, I'm still new to this.
Sorry for the delay in the review..
ACK!
* master: 03b02ec99ea4be8e6f41c70dbe91d7175d5b63ea
sssd-devel@lists.fedorahosted.org
-
Dan Lavu -
Jakub Hrozek