summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/man/sssd-ldap.5.xml37
-rw-r--r--src/providers/ldap/ldap_common.c20
-rw-r--r--src/providers/ldap/ldap_common.h4
-rw-r--r--src/providers/ldap/ldap_id.c45
-rw-r--r--src/providers/ldap/ldap_id_enum.c32
5 files changed, 119 insertions, 19 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 2a39732b..9d585e2a 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1369,6 +1369,43 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_search_filter (string)</term>
+ <listitem>
+ <para>
+ This option specifies an additional LDAP search
+ filter criteria that restrict user searches.
+ </para>
+ <para>
+ Default: not set
+ </para>
+ <para>
+ Example:
+ </para>
+ <programlisting>
+ ldap_user_search_filter = (loginShell=/bin/tcsh)
+ </programlisting>
+ <para>
+ This filter would restrict user searches to users
+ that have their shell set to /bin/tcsh.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_group_search_filter (string)</term>
+ <listitem>
+ <para>
+ This option specifies an additional LDAP search
+ filter criteria that restrict group searches.
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
</refsect1>
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 68b8e153..39e9b71d 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1013,3 +1013,23 @@ bool sdap_is_secure_uri(const char *uri)
}
return false;
}
+
+char *sdap_get_id_specific_filter(TALLOC_CTX *mem_ctx,
+ char *base_filter,
+ char *extra_filter)
+{
+ char *filter = NULL;
+
+ if (!extra_filter) {
+ return talloc_strdup(mem_ctx, base_filter);
+ }
+
+ if (extra_filter[0] == '(') {
+ filter = talloc_asprintf(mem_ctx, "(&%s%s)",
+ base_filter, extra_filter);
+ } else {
+ filter = talloc_asprintf(mem_ctx, "(&%s(%s))",
+ base_filter, extra_filter);
+ }
+ return filter; /* NULL or not */
+}
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 9146da5a..f4746805 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -162,4 +162,8 @@ errno_t list_missing_attrs(TALLOC_CTX *mem_ctx,
bool sdap_is_secure_uri(const char *uri);
+char *sdap_get_id_specific_filter(TALLOC_CTX *mem_ctx,
+ char *base_filter,
+ char *extra_filter);
+
#endif /* _LDAP_COMMON_H_ */
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index a6fb05bd..e2f08494 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -65,6 +65,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
struct users_get_state *state;
const char *attr_name;
char *clean_name;
+ char *base_filter;
int ret;
req = tevent_req_create(memctx, &state, struct users_get_state);
@@ -103,15 +104,24 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
goto fail;
}
- state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
- attr_name, clean_name,
- ctx->opts->user_map[SDAP_OC_USER].name);
+ base_filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+ attr_name, clean_name,
+ ctx->opts->user_map[SDAP_OC_USER].name);
+ talloc_zfree(clean_name);
+ if (!base_filter) {
+ DEBUG(2, ("Failed to build the base filter\n"));
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ state->filter = sdap_get_id_specific_filter(state, base_filter,
+ dp_opt_get_string(ctx->opts->basic, SDAP_USER_SEARCH_FILTER));
+ talloc_zfree(base_filter);
if (!state->filter) {
- DEBUG(2, ("Failed to build filter\n"));
+ DEBUG(2, ("Failed to build user filter\n"));
ret = ENOMEM;
goto fail;
}
- talloc_zfree(clean_name);
/* TODO: handle attrs_type */
ret = build_attrs_from_map(state, ctx->opts->user_map,
@@ -297,6 +307,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
struct groups_get_state *state;
const char *attr_name;
char *clean_name;
+ char *base_filter;
int ret;
req = tevent_req_create(memctx, &state, struct groups_get_state);
@@ -335,18 +346,26 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
goto fail;
}
- state->filter =
- talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
- attr_name, clean_name,
- ctx->opts->group_map[SDAP_OC_GROUP].name,
- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
- ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
- if (!state->filter) {
+ base_filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ attr_name, clean_name,
+ ctx->opts->group_map[SDAP_OC_GROUP].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
+ talloc_zfree(clean_name);
+ if (!base_filter) {
DEBUG(2, ("Failed to build filter\n"));
ret = ENOMEM;
goto fail;
}
- talloc_zfree(clean_name);
+
+ state->filter = sdap_get_id_specific_filter(state, base_filter,
+ dp_opt_get_string(ctx->opts->basic, SDAP_GROUP_SEARCH_FILTER));
+ talloc_zfree(base_filter);
+ if (!state->filter) {
+ DEBUG(2, ("Failed to build group-specific filter\n"));
+ ret = ENOMEM;
+ goto fail;
+ }
/* TODO: handle attrs_type */
ret = build_attrs_from_map(state, ctx->opts->group_map,
diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
index 6899b87c..d7dd33e4 100644
--- a/src/providers/ldap/ldap_id_enum.c
+++ b/src/providers/ldap/ldap_id_enum.c
@@ -431,6 +431,7 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
{
struct tevent_req *req, *subreq;
struct enum_users_state *state;
+ char *base_filter;
int ret;
req = tevent_req_create(memctx, &state, struct enum_users_state);
@@ -441,7 +442,7 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
state->op = op;
if (ctx->srv_opts && ctx->srv_opts->max_user_value && !purge) {
- state->filter = talloc_asprintf(
+ base_filter = talloc_asprintf(
state,
"(&(objectclass=%s)(%s=*)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))",
ctx->opts->user_map[SDAP_OC_USER].name,
@@ -453,7 +454,7 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
ctx->opts->user_map[SDAP_AT_USER_USN].name,
ctx->srv_opts->max_user_value);
} else {
- state->filter = talloc_asprintf(
+ base_filter = talloc_asprintf(
state,
"(&(objectclass=%s)(%s=*)(%s=*)(%s=*))",
ctx->opts->user_map[SDAP_OC_USER].name,
@@ -461,8 +462,17 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
ctx->opts->user_map[SDAP_AT_USER_UID].name,
ctx->opts->user_map[SDAP_AT_USER_GID].name);
}
+ if (!base_filter) {
+ DEBUG(2, ("Failed to build base filter\n"));
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ state->filter = sdap_get_id_specific_filter(state, base_filter,
+ dp_opt_get_string(ctx->opts->basic, SDAP_USER_SEARCH_FILTER));
+ talloc_zfree(base_filter);
if (!state->filter) {
- DEBUG(2, ("Failed to build filter\n"));
+ DEBUG(2, ("Failed to build user filter\n"));
ret = ENOMEM;
goto fail;
}
@@ -542,6 +552,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
{
struct tevent_req *req, *subreq;
struct enum_groups_state *state;
+ char *base_filter;
int ret;
req = tevent_req_create(memctx, &state, struct enum_groups_state);
@@ -552,7 +563,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
state->op = op;
if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) {
- state->filter = talloc_asprintf(
+ base_filter = talloc_asprintf(
state,
"(&(objectclass=%s)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))",
ctx->opts->group_map[SDAP_OC_GROUP].name,
@@ -563,19 +574,28 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
ctx->srv_opts->max_group_value);
} else {
- state->filter = talloc_asprintf(
+ base_filter = talloc_asprintf(
state,
"(&(objectclass=%s)(%s=*)(%s=*))",
ctx->opts->group_map[SDAP_OC_GROUP].name,
ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
}
- if (!state->filter) {
+ if (!base_filter) {
DEBUG(2, ("Failed to build filter\n"));
ret = ENOMEM;
goto fail;
}
+ state->filter = sdap_get_id_specific_filter(state, base_filter,
+ dp_opt_get_string(ctx->opts->basic, SDAP_GROUP_SEARCH_FILTER));
+ talloc_zfree(base_filter);
+ if (!state->filter) {
+ DEBUG(2, ("Failed to build group filter\n"));
+ ret = ENOMEM;
+ goto fail;
+ }
+
/* TODO: handle attrs_type */
ret = build_attrs_from_map(state, ctx->opts->group_map,
SDAP_OPTS_GROUP, &state->attrs);