Add ldap_access_filter option

This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
author: Stephen Gallagher <sgallagh@redhat.com> 2010-05-06 10:09:41 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-05-27 14:44:14 -0400
commit: 35480afaefafb77b28d35b29039989ab888aafe9 (patch)
tree: 60789844987297b64c9dc237bdd4501e4b5df86f /src/man/sssd-ldap.5.xml
parent: 8bb6aa3fd81a3c195b92270ddf189296abae65eb (diff)
download: sssd-35480afaefafb77b28d35b29039989ab888aafe9.tar.gz
sssd-35480afaefafb77b28d35b29039989ab888aafe9.tar.xz
sssd-35480afaefafb77b28d35b29039989ab888aafe9.zip
1 files changed, 39 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 9b1f14b65..89437d97f 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -657,6 +657,45 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_access_filter (string)</term>
+                    <listitem>
+                        <para>
+                            If using access_provider = ldap, this option is
+                            mandatory. It specifies an LDAP search filter
+                            criteria that must be met for the user to be
+                            granted access on this host. If
+                            access_provider = ldap and this option is
+                            not set, it will result in all users being
+                            denied access. Use access_provider = allow to
+                            change this default behavior.
+                        </para>
+                        <para>
+                            Example:
+                        </para>
+                        <programlisting>
+access_provider = ldap
+ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
+                        </programlisting>
+                        <para>
+                            This example means that access to this host is
+                            restricted to members of the "allowedusers" group
+                            in ldap.
+                        </para>
+                        <para>
+                            Offline caching for this feature is limited to
+                            determining whether the user's last online login
+                            was granted access permission. If they were
+                            granted access during their last login, they will
+                            continue to be granted access while offline and
+                            vice-versa.
+                        </para>
+                        <para>
+                            Default: Empty
+                        </para>
+                    </listitem>
+                </varlistentry>
+
             </variablelist>
         </para>
     </refsect1>
author	Stephen Gallagher <sgallagh@redhat.com>	2010-05-06 10:09:41 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-05-27 14:44:14 -0400
commit	35480afaefafb77b28d35b29039989ab888aafe9 (patch)
tree	60789844987297b64c9dc237bdd4501e4b5df86f /src/man/sssd-ldap.5.xml
parent	8bb6aa3fd81a3c195b92270ddf189296abae65eb (diff)
download	sssd-35480afaefafb77b28d35b29039989ab888aafe9.tar.gz sssd-35480afaefafb77b28d35b29039989ab888aafe9.tar.xz sssd-35480afaefafb77b28d35b29039989ab888aafe9.zip