From 35480afaefafb77b28d35b29039989ab888aafe9 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 6 May 2010 10:09:41 -0400 Subject: Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com --- src/man/sssd-ldap.5.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'src/man') diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 9b1f14b65..89437d97f 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -657,6 +657,45 @@ + + ldap_access_filter (string) + + + If using access_provider = ldap, this option is + mandatory. It specifies an LDAP search filter + criteria that must be met for the user to be + granted access on this host. If + access_provider = ldap and this option is + not set, it will result in all users being + denied access. Use access_provider = allow to + change this default behavior. + + + Example: + + +access_provider = ldap +ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com + + + This example means that access to this host is + restricted to members of the "allowedusers" group + in ldap. + + + Offline caching for this feature is limited to + determining whether the user's last online login + was granted access permission. If they were + granted access during their last login, they will + continue to be granted access while offline and + vice-versa. + + + Default: Empty + + + + -- cgit