diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-07 18:02:04 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-25 21:02:43 +0200 |
commit | efe6b4a9d374339cac2528cdeb43720957c6b7c9 (patch) | |
tree | 354549682b9d2333bff82177176af077bd6b805a /src/providers/ldap/ldap_common.c | |
parent | 8a05fd320a44636d120a18eb7e9956c7b35b3138 (diff) | |
download | sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.tar.gz sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.tar.xz sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.zip |
AD: Use the ad_access_filter if it's set
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
Diffstat (limited to 'src/providers/ldap/ldap_common.c')
-rw-r--r-- | src/providers/ldap/ldap_common.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index b3a048c1c..e5c457c24 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -1757,6 +1757,25 @@ char *sdap_get_id_specific_filter(TALLOC_CTX *mem_ctx, return filter; /* NULL or not */ } +char *sdap_get_access_filter(TALLOC_CTX *mem_ctx, + const char *base_filter) +{ + char *filter = NULL; + + if (base_filter == NULL) return NULL; + + if (base_filter[0] == '(') { + /* This filter is wrapped in parentheses. + * Pass it as-is to the openldap libraries. + */ + filter = talloc_strdup(mem_ctx, base_filter); + } else { + filter = talloc_asprintf(mem_ctx, "(%s)", base_filter); + } + + return filter; +} + errno_t sdap_attrs_get_sid_str(TALLOC_CTX *mem_ctx, struct sdap_idmap_ctx *idmap_ctx, |