From e37cbdd9be139b9949024c94ae21c12b36a6c180 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 2 Oct 2013 17:48:49 +0200
Subject: AD: Add a new option ad_access_filter

This patch just adds the option, it doesn't do anything useful yet.

Related:
https://fedorahosted.org/sssd/ticket/2082
---
 src/config/etc/sssd.api.d/sssd-ad.conf |  1 +
 src/man/sssd-ad.5.xml                  | 24 ++++++++++++++++++++++++
 src/providers/ad/ad_common.h           |  1 +
 src/providers/ad/ad_opts.h             |  1 +
 4 files changed, 27 insertions(+)

diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 120c82752..9f606f6c4 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -4,6 +4,7 @@ ad_server = str, None, false
 ad_backup_server = str, None, false
 ad_hostname = str, None, false
 ad_enable_dns_sites = bool, None, false
+ad_access_filter = str, None, false
 ldap_uri = str, None, false
 ldap_backup_uri = str, None, false
 ldap_search_base = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index b05605aef..4c9a54aae 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -168,6 +168,30 @@ ldap_id_mapping = False
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ad_access_filter (boolean)</term>
+                    <listitem>
+                        <para>
+                            This option specifies LDAP access control
+                            filter that the user must match in order
+                            to be allowed access. Please note that the
+                            <quote>access_filter</quote> option must be
+                            explicitly set to <quote>ad</quote> in order
+                            for this option to have an effect.
+                        </para>
+                        <para>
+                            Example:
+                        </para>
+                        <programlisting>
+access_provider = ad
+ad_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
+                        </programlisting>
+                        <para>
+                            Default: Not set
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>dyndns_update (boolean)</term>
                     <listitem>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 98aeb2165..b8b73c042 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -41,6 +41,7 @@ enum ad_basic_opt {
     AD_KEYTAB,
     AD_KRB5_REALM,
     AD_ENABLE_DNS_SITES,
+    AD_ACCESS_FILTER,
 
     AD_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index f3b6cd616..8022a1627 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -35,6 +35,7 @@ struct dp_option ad_basic_opts[] = {
     { "krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+    { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     DP_OPTION_TERMINATOR
 };
 
-- 
cgit