Add ldap_access_filter option

This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
author: Stephen Gallagher <sgallagh@redhat.com> 2010-05-06 10:09:41 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-05-16 13:28:43 -0400
commit: fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6 (patch)
tree: 7ce1399b2df00674a166ab1d6e387368667a6c70 /src/man/sssd-ldap.5.xml
parent: 67421f2d62ceffb070070245a436bc46252b9420 (diff)
download: sssd-fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6.tar.gz
sssd-fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6.tar.xz
sssd-fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6.zip
1 files changed, 39 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index c119e7f3f..3aa989636 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -644,6 +644,45 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_access_filter (string)</term>
+                    <listitem>
+                        <para>
+                            If using access_provider = ldap, this option is
+                            mandatory. It specifies an LDAP search filter
+                            criteria that must be met for the user to be
+                            granted access on this host. If
+                            access_provider = ldap and this option is
+                            not set, it will result in all users being
+                            denied access. Use access_provider = allow to
+                            change this default behavior.
+                        </para>
+                        <para>
+                            Example:
+                        </para>
+                        <programlisting>
+access_provider = ldap
+ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
+                        </programlisting>
+                        <para>
+                            This example means that access to this host is
+                            restricted to members of the "allowedusers" group
+                            in ldap.
+                        </para>
+                        <para>
+                            Offline caching for this feature is limited to
+                            determining whether the user's last online login
+                            was granted access permission. If they were
+                            granted access during their last login, they will
+                            continue to be granted access while offline and
+                            vice-versa.
+                        </para>
+                        <para>
+                            Default: Empty
+                        </para>
+                    </listitem>
+                </varlistentry>
+
             </variablelist>
         </para>
     </refsect1>
author	Stephen Gallagher <sgallagh@redhat.com>	2010-05-06 10:09:41 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-05-16 13:28:43 -0400
commit	fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6 (patch)
tree	7ce1399b2df00674a166ab1d6e387368667a6c70 /src/man/sssd-ldap.5.xml
parent	67421f2d62ceffb070070245a436bc46252b9420 (diff)
download	sssd-fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6.tar.gz sssd-fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6.tar.xz sssd-fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6.zip