AD: Use the ad_access_filter if it's set

Related:
https://fedorahosted.org/sssd/ticket/2082

Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.

1 files changed, 19 insertions, 0 deletions

diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 89786fa49..d4d171de1 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1745,6 +1745,25 @@ char *sdap_get_id_specific_filter(TALLOC_CTX *mem_ctx,
     return filter; /* NULL or not */
 }
 
+char *sdap_get_access_filter(TALLOC_CTX *mem_ctx,
+                             const char *base_filter)
+{
+    char *filter = NULL;
+
+    if (base_filter == NULL) return NULL;
+
+    if (base_filter[0] == '(') {
+        /* This filter is wrapped in parentheses.
+         * Pass it as-is to the openldap libraries.
+         */
+        filter = talloc_strdup(mem_ctx, base_filter);
+    } else {
+        filter = talloc_asprintf(mem_ctx, "(%s)", base_filter);
+    }
+
+    return filter;
+}
+
 errno_t
 sdap_attrs_get_sid_str(TALLOC_CTX *mem_ctx,
                        struct sdap_idmap_ctx *idmap_ctx,