Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=587743
Our LDAP auth provider is missing a feature from pam_ldap. From {{{pam_ldap(5)}}}:
pam_filter <filter> Specifies a filter to use when retrieving user information. The user entry must match the attribute value assertion of (pam_login_attribute=login_name) as well as any filter specified here. There is no default for this option.
We should add a new option to the LDAP provider, {{{ldap_access_filter}}} that will behave in the same way as pam_filter.
It would be almost trivial to support handling this option during authentication, but properly we should create an {{{access_provider=ldap}}} for this.
Ticket is marked critical because it is a blocker to certain deployments (as seen in the BZ linked above)
We need to look into it immediately after 1.2 and based on our progress we will need to determine what is the earliest time it can be delivered.
milestone: NEEDS_TRIAGE => SSSD 1.2
Fields changed
owner: simo => sgallagh status: new => assigned
milestone: SSSD 1.2 => SSSD 1.2.1
milestone: SSSD 1.2.1 => SSSD 1.2.0
Could you please add a description of this new feature for QE and Doc - including design, usage and example use case - thanks!
Fixed by b47587b
fixedin: => 1.2.0 resolution: => fixed status: assigned => closed
From the new manpage:
ldap_access_filter (string) If using access_provider = ldap, this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behavior. Example: access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com This example means that access to this host is restricted to members of the "allowedusers" group in ldap. Offline caching for this feature is limited to determining whether the userĀ“s last online login was granted access permission. If they were granted access during their last login, they will continue to be granted access while offline and vice-versa. Default: Empty
tests: 1 => 0 testsupdated: 0 => 1
doc: 1 => 0 docupdated: 0 => 1
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=587743 587743]
Metadata Update from @sgallagh: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.2.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1499
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.