From 5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 8 Oct 2013 20:59:22 +0200 Subject: AD: Add extended access filter https://fedorahosted.org/sssd/ticket/2082 Adds a new option that allows the admin to specify a LDAP access filter that can be applied globally, per-domain or per-forest. --- src/man/sssd-ad.5.xml | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) (limited to 'src/man') diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 4c9a54aae..3dcf2c739 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -180,11 +180,46 @@ ldap_id_mapping = False for this option to have an effect. - Example: + The option also supports specifying different + filters per domain or forest. This + extended filter would consist of: + KEYWORD:NAME:FILTER. + The keyword can be either DOM, + FOREST or missing. + + + If the keyword equals to DOM + or is missing, then NAME specifies + the domain or subdomain the filter applies to. + If the keyword equals to FOREST, + then the filter equals to all domains from the + forest specified by NAME. + + + Multiple filters can be separated with the + ? character, similarly to how + search bases work. + + + The most specific match is always used. For + example, if the option specified filter + for a domain the user is a member of and a + global filter, the per-domain filter would + be applied. If there are more matches with + the same specification, the first one is used. + + + Examples: -access_provider = ad -ad_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com +# apply filter on domain called dom1 only: +dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com) + +# apply filter on domain called dom2 only: +DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) + +# apply filter on forest called EXAMPLE.COM only: +FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) Default: Not set -- cgit