2a91d3d SDAP: account lockout to restrict access via ssh key

3 files Authored by preichl 8 years ago, Committed by jhrozek 8 years ago,
    SDAP: account lockout to restrict access via ssh key
    
    Be able to configure sssd to honor openldap account lock to restrict
    access via ssh key. Introduce new ldap_access_order value ('lock')
    for enabling/disabling this feature.
    
    Account is considered locked if pwdAccountLockedTime attribut has value
    of 000001010000Z.
    
    ------------------------------------------------------------------------
    Quotation from man slapo-ppolicy:
    
    pwdAccountLockedTime
    
    This attribute contains the time that the user's account was locked. If
    the account has been locked, the password may no longer be used to
    authenticate the user to the  directory. If pwdAccountLockedTime is set
    to 000001010000Z, the user's account has been permanently locked and
    may only be unlocked by an administrator. Note that account locking
    only takes effect when the pwdLockout password policy attribute is set
    to "TRUE".
    ------------------------------------------------------------------------
    
    Also set default value for sdap_pwdlockout_dn to
    cn=ppolicy,ou=policies,${search_base}
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2364
    
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>