diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-07 18:02:04 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-25 21:02:43 +0200 |
commit | efe6b4a9d374339cac2528cdeb43720957c6b7c9 (patch) | |
tree | 354549682b9d2333bff82177176af077bd6b805a /src/providers/ldap/ldap_init.c | |
parent | 8a05fd320a44636d120a18eb7e9956c7b35b3138 (diff) | |
download | sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.tar.gz sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.tar.xz sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.zip |
AD: Use the ad_access_filter if it's set
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
Diffstat (limited to 'src/providers/ldap/ldap_init.c')
-rw-r--r-- | src/providers/ldap/ldap_init.c | 24 |
1 files changed, 7 insertions, 17 deletions
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c index 341338ca4..17874b132 100644 --- a/src/providers/ldap/ldap_init.c +++ b/src/providers/ldap/ldap_init.c @@ -341,7 +341,7 @@ int sssm_ldap_access_init(struct be_ctx *bectx, access_ctx->access_rule[c] = LDAP_ACCESS_FILTER; filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic, - SDAP_ACCESS_FILTER); + SDAP_ACCESS_FILTER); if (filter == NULL) { /* It's okay if this is NULL. In that case we will simply act * like the 'deny' provider. @@ -349,24 +349,14 @@ int sssm_ldap_access_init(struct be_ctx *bectx, DEBUG(0, ("Warning: LDAP access rule 'filter' is set, " "but no ldap_access_filter configured. " "All domain users will be denied access.\n")); - } - else { - if (filter[0] == '(') { - /* This filter is wrapped in parentheses. - * Pass it as-is to the openldap libraries. - */ - access_ctx->filter = filter; - } - else { - /* Add parentheses around the filter */ - access_ctx->filter = talloc_asprintf(access_ctx, "(%s)", filter); - if (access_ctx->filter == NULL) { - ret = ENOMEM; - goto done; - } + } else { + access_ctx->filter = sdap_get_access_filter(access_ctx, + filter); + if (access_ctx->filter == NULL) { + ret = ENOMEM; + goto done; } } - } else if (strcasecmp(order_list[c], LDAP_ACCESS_EXPIRE_NAME) == 0) { access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE; |