#457 Add LDAP pam_filter option
Closed: Fixed None Opened 10 years ago by sgallagh.


Our LDAP auth provider is missing a feature from pam_ldap. From {{{pam_ldap(5)}}}:

       pam_filter <filter>
              Specifies  a  filter  to  use when retrieving user information.
              The user entry must match the attribute value assertion of
              (pam_login_attribute=login_name) as well as any filter specified
               here. There is no default for this option.

We should add a new option to the LDAP provider, {{{ldap_access_filter}}} that will behave in the same way as pam_filter.

It would be almost trivial to support handling this option during authentication, but properly we should create an {{{access_provider=ldap}}} for this.

Ticket is marked critical because it is a blocker to certain deployments (as seen in the BZ linked above)

We need to look into it immediately after 1.2 and based on our progress we will need to determine what is the earliest time it can be delivered.

milestone: NEEDS_TRIAGE => SSSD 1.2

Fields changed

owner: simo => sgallagh
status: new => assigned

Fields changed

milestone: SSSD 1.2 => SSSD 1.2.1

Fields changed

milestone: SSSD 1.2.1 => SSSD 1.2.0

Could you please add a description of this new feature for QE and Doc - including design, usage and example use case - thanks!

Fixed by b47587b

fixedin: => 1.2.0
resolution: => fixed
status: assigned => closed

From the new manpage:

       ldap_access_filter (string)
           If using access_provider = ldap, this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If
           access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behavior.


               access_provider = ldap
               ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com

           This example means that access to this host is restricted to members of the "allowedusers" group in ldap.

           Offline caching for this feature is limited to determining whether the userĀ“s last online login was granted access permission. If they were granted access during their last
           login, they will continue to be granted access while offline and vice-versa.

           Default: Empty

Fields changed

tests: 1 => 0
testsupdated: 0 => 1

Fields changed

doc: 1 => 0
docupdated: 0 => 1

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.2.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1499

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.