diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-08 20:59:22 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-25 22:04:11 +0200 |
| commit | 5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963 (patch) | |
| tree | 95f2e62afd353907aa00bfbe9b89ee7483ec1a00 /src/man | |
| parent | 2cbf205f3fe25087666ff108c2ad380fd3cbfe46 (diff) | |
| download | sssd-5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963.tar.gz sssd-5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963.tar.xz sssd-5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963.zip | |
AD: Add extended access filter
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/sssd-ad.5.xml | 41 |
1 files changed, 38 insertions, 3 deletions
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 4c9a54aae..3dcf2c739 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -180,11 +180,46 @@ ldap_id_mapping = False for this option to have an effect. </para> <para> - Example: + The option also supports specifying different + filters per domain or forest. This + extended filter would consist of: + <quote>KEYWORD:NAME:FILTER</quote>. + The keyword can be either <quote>DOM</quote>, + <quote>FOREST</quote> or missing. + </para> + <para> + If the keyword equals to <quote>DOM</quote> + or is missing, then <quote>NAME</quote> specifies + the domain or subdomain the filter applies to. + If the keyword equals to <quote>FOREST</quote>, + then the filter equals to all domains from the + forest specified by <quote>NAME</quote>. + </para> + <para> + Multiple filters can be separated with the + <quote>?</quote> character, similarly to how + search bases work. + </para> + <para> + The most specific match is always used. For + example, if the option specified filter + for a domain the user is a member of and a + global filter, the per-domain filter would + be applied. If there are more matches with + the same specification, the first one is used. + </para> + <para> + Examples: </para> <programlisting> -access_provider = ad -ad_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com +# apply filter on domain called dom1 only: +dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com) + +# apply filter on domain called dom2 only: +DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) + +# apply filter on forest called EXAMPLE.COM only: +FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) </programlisting> <para> Default: Not set |