summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf1
-rw-r--r--src/man/sssd-ad.5.xml24
-rw-r--r--src/providers/ad/ad_common.h1
-rw-r--r--src/providers/ad/ad_opts.h1
4 files changed, 27 insertions, 0 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 120c82752..9f606f6c4 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -4,6 +4,7 @@ ad_server = str, None, false
ad_backup_server = str, None, false
ad_hostname = str, None, false
ad_enable_dns_sites = bool, None, false
+ad_access_filter = str, None, false
ldap_uri = str, None, false
ldap_backup_uri = str, None, false
ldap_search_base = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index b05605aef..4c9a54aae 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -169,6 +169,30 @@ ldap_id_mapping = False
</varlistentry>
<varlistentry>
+ <term>ad_access_filter (boolean)</term>
+ <listitem>
+ <para>
+ This option specifies LDAP access control
+ filter that the user must match in order
+ to be allowed access. Please note that the
+ <quote>access_filter</quote> option must be
+ explicitly set to <quote>ad</quote> in order
+ for this option to have an effect.
+ </para>
+ <para>
+ Example:
+ </para>
+ <programlisting>
+access_provider = ad
+ad_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
+ </programlisting>
+ <para>
+ Default: Not set
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>dyndns_update (boolean)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 98aeb2165..b8b73c042 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -41,6 +41,7 @@ enum ad_basic_opt {
AD_KEYTAB,
AD_KRB5_REALM,
AD_ENABLE_DNS_SITES,
+ AD_ACCESS_FILTER,
AD_OPTS_BASIC /* opts counter */
};
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index f3b6cd616..8022a1627 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -35,6 +35,7 @@ struct dp_option ad_basic_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
DP_OPTION_TERMINATOR
};