diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2010-05-07 23:45:06 +0200 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2010-05-07 23:45:06 +0200 |
| commit | a034ed2f01a14c4d20904442b2820b1f02e4e67a (patch) | |
| tree | b3fc600407dfc9b9e734d921bc108376947ea9b7 /man | |
| parent | 458b8e289ad6fb5df0a44c5a119ef9bda8861604 (diff) | |
implement an authz_search option to test whether the user is authorised
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1088 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'man')
| -rw-r--r-- | man/nslcd.conf.5.xml | 31 | ||||
| -rw-r--r-- | man/pam_ldap.8.xml | 4 |
2 files changed, 33 insertions, 2 deletions
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml index 0aa4454..76cf422 100644 --- a/man/nslcd.conf.5.xml +++ b/man/nslcd.conf.5.xml @@ -642,6 +642,37 @@ </listitem> </varlistentry> + <varlistentry> + <term><option>authz_search</option> + <replaceable>FILTER</replaceable></term> + <listitem> + <para> + This option allows flexible fine tuning of the authorisation check that + should be performed. The search filter specified is executed and + if any entries match, access is granted, otherwise access is denied. + </para> + <para> + The search filter can contain the following variable references: + <literal>$username</literal>, <literal>$service</literal>, + <literal>$ruser</literal>, <literal>$rhost</literal>, + <literal>$tty</literal>, <literal>$hostname</literal>, + <literal>$dn</literal>, and <literal>$uid</literal>. + These references are substituted in the search filter using the + same syntax as described in the section on attribute mapping + expressions below. + </para> + <para> + For example, to check that the user has a proper authorizedService + value if the attribute is present: + <literal>(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))</literal> + </para> + <para> + The default behaviour is not to do this extra search and always + grant access. + </para> + </listitem> + </varlistentry> + </variablelist> </refsect2> diff --git a/man/pam_ldap.8.xml b/man/pam_ldap.8.xml index 19d9884..ad91878 100644 --- a/man/pam_ldap.8.xml +++ b/man/pam_ldap.8.xml @@ -166,8 +166,8 @@ <refsect1 id="moduleservices"> <title>Module Services Provided</title> <para> - All services are provided by this module but currently only authentication - (auth) and password change (password) are implemented in the nslcd daemon. + All services are provided by this module but currently sessions changes + are not implemented in the nslcd daemon. </para> </refsect1> |