server/sources/ldapuser.py
branchstable
changeset 6750 ef513c03a224
parent 6693 65bd93b72f1e
parent 6733 627a93027605
child 6751 02091c91520f
child 6886 b571d2d32971
--- a/server/sources/ldapuser.py	Tue Dec 14 15:08:23 2010 +0100
+++ b/server/sources/ldapuser.py	Sat Dec 18 23:11:58 2010 +0100
@@ -126,6 +126,12 @@
           'help': 'classes of user',
           'group': 'ldap-source', 'level': 1,
           }),
+        ('user-filter',
+         {'type': 'string',
+          'default': '',
+          'help': 'additional filters to be set in the ldap query to find valid users',
+          'group': 'ldap-source', 'level': 2,
+          }),
         ('user-login-attr',
          {'type' : 'string',
           'default': 'uid',
@@ -177,11 +183,11 @@
         self.user_login_attr = source_config['user-login-attr']
         self.user_default_groups = splitstrip(source_config['user-default-group'])
         self.user_attrs = dict(v.split(':', 1) for v in splitstrip(source_config['user-attrs-map']))
+        self.user_filter = source_config.get('user-filter')
         self.user_rev_attrs = {'eid': 'dn'}
         for ldapattr, cwattr in self.user_attrs.items():
             self.user_rev_attrs[cwattr] = ldapattr
-        self.base_filters = [filter_format('(%s=%s)', ('objectClass', o))
-                              for o in self.user_classes]
+        self.base_filters = self._make_base_filters()
         self._conn = None
         self._cache = {}
         # ttlm is in minutes!
@@ -194,6 +200,13 @@
                                     source_config.get('synchronization-interval',
                                                       24*60*60))
 
+    def _make_base_filters(self):
+        filters =  [filter_format('(%s=%s)', ('objectClass', o))
+                              for o in self.user_classes] 
+        if self.user_filter:
+            filters += [self.user_filter]
+        return filters
+
     def reset_caches(self):
         """method called during test to reset potential source caches"""
         self._cache = {}
@@ -286,8 +299,7 @@
             # we really really don't want that
             raise AuthenticationError()
         searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))]
-        searchfilter.extend([filter_format('(%s=%s)', ('objectClass', o))
-                             for o in self.user_classes])
+        searchfilter.extend(self._make_base_filters())
         searchstr = '(&%s)' % ''.join(searchfilter)
         # first search the user
         try: