#457 Add LDAP pam_filter option
Closed: Fixed None Opened 9 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=587743

Our LDAP auth provider is missing a feature from pam_ldap. From {{{pam_ldap(5)}}}:

       pam_filter <filter>
              Specifies  a  filter  to  use when retrieving user information.
              The user entry must match the attribute value assertion of
              (pam_login_attribute=login_name) as well as any filter specified
               here. There is no default for this option.

We should add a new option to the LDAP provider, {{{ldap_access_filter}}} that will behave in the same way as pam_filter.

It would be almost trivial to support handling this option during authentication, but properly we should create an {{{access_provider=ldap}}} for this.

Ticket is marked critical because it is a blocker to certain deployments (as seen in the BZ linked above)


We need to look into it immediately after 1.2 and based on our progress we will need to determine what is the earliest time it can be delivered.

milestone: NEEDS_TRIAGE => SSSD 1.2

Fields changed

owner: simo => sgallagh
status: new => assigned

Fields changed

milestone: SSSD 1.2 => SSSD 1.2.1

Fields changed

milestone: SSSD 1.2.1 => SSSD 1.2.0

Could you please add a description of this new feature for QE and Doc - including design, usage and example use case - thanks!

Fixed by b47587b

fixedin: => 1.2.0
resolution: => fixed
status: assigned => closed

From the new manpage:

       ldap_access_filter (string)
           If using access_provider = ldap, this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If
           access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behavior.

           Example:

               access_provider = ldap
               ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com

           This example means that access to this host is restricted to members of the "allowedusers" group in ldap.

           Offline caching for this feature is limited to determining whether the userĀ“s last online login was granted access permission. If they were granted access during their last
           login, they will continue to be granted access while offline and vice-versa.

           Default: Empty

Fields changed

tests: 1 => 0
testsupdated: 0 => 1

Fields changed

doc: 1 => 0
docupdated: 0 => 1

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.2.0

2 years ago

Login to comment on this ticket.

Metadata