From fa26de3b1a8993a1c5a4b071851e5e5ff7ec2ce6 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Thu, 6 May 2010 10:09:41 -0400
Subject: Add ldap_access_filter option

This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.

Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
---
 src/config/SSSDConfig.py                 | 3 +++
 src/config/SSSDConfigTest.py             | 2 +-
 src/config/etc/sssd.api.d/sssd-ldap.conf | 3 +++
 3 files changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/config')

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 7082861d6..6baf3476c 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -150,6 +150,9 @@ option_strings = {
     # [provider/ldap/auth]
     'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
 
+    # [provider/ldap/access]
+    'ldap_access_filter' : _('LDAP filter to determine access privileges'),
+
     # [provider/simple/access]
     'simple_allow_users' : _('Comma separated list of allowed users'),
     'simple_deny_users' : _('Comma separated list of prohibited users'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 6381d3bb8..fa6815ce0 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -689,7 +689,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
         control_provider_dict = {
             'ipa': ['id', 'auth', 'access', 'chpass'],
             'local': ['id', 'auth', 'chpass'],
-            'ldap': ['id', 'auth', 'chpass'],
+            'ldap': ['id', 'auth', 'access', 'chpass'],
             'krb5': ['auth', 'chpass'],
             'proxy': ['id', 'auth'],
             'simple': ['access'],
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index d2b47e13b..d8b92ab2e 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -65,5 +65,8 @@ ldap_force_upper_case_realm = bool, None, false
 [provider/ldap/auth]
 ldap_pwd_policy = str, None, false
 
+[provider/ldap/access]
+ldap_access_filter = str, None, false
+
 [provider/ldap/chpass]
 
-- 
cgit