summaryrefslogtreecommitdiffstats
path: root/src/providers/ad/ad_init.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/ad/ad_init.c')
-rw-r--r--src/providers/ad/ad_init.c22
1 files changed, 20 insertions, 2 deletions
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index c829cc861..d744c2a05 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -366,6 +366,7 @@ sssm_ad_access_init(struct be_ctx *bectx,
errno_t ret;
struct ad_access_ctx *access_ctx;
struct ad_id_ctx *ad_id_ctx;
+ const char *filter;
access_ctx = talloc_zero(bectx, struct ad_access_ctx);
if (!access_ctx) return ENOMEM;
@@ -392,10 +393,27 @@ sssm_ad_access_init(struct be_ctx *bectx,
ret = ENOMEM;
goto fail;
}
-
access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx;
+
+ /* If ad_access_filter is set, the value of ldap_acess_order is
+ * expire, filter, otherwise only expire
+ */
access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;
- access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
+ filter = dp_opt_get_cstring(access_ctx->ad_options, AD_ACCESS_FILTER);
+ if (filter != NULL) {
+ access_ctx->sdap_access_ctx->filter = sdap_get_access_filter(
+ access_ctx->sdap_access_ctx,
+ filter);
+ if (access_ctx->sdap_access_ctx->filter == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER;
+ access_ctx->sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY;
+ } else {
+ access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
+ }
*ops = &ad_access_ops;
*pvt_data = access_ctx;
generated by cgit (git 2.34.1) at 2024-04-26 18:13:22 +0000