diff -r de49060d4be3 -r 02091c91520f server/sources/ldapuser.py --- a/server/sources/ldapuser.py Thu Dec 09 15:27:02 2010 +0100 +++ b/server/sources/ldapuser.py Sat Dec 18 23:12:14 2010 +0100 @@ -126,6 +126,12 @@ 'help': 'classes of user', 'group': 'ldap-source', 'level': 1, }), + ('user-filter', + {'type': 'string', + 'default': '', + 'help': 'additional filters to be set in the ldap query to find valid users', + 'group': 'ldap-source', 'level': 2, + }), ('user-login-attr', {'type' : 'string', 'default': 'uid', @@ -177,11 +183,11 @@ self.user_login_attr = source_config['user-login-attr'] self.user_default_groups = splitstrip(source_config['user-default-group']) self.user_attrs = dict(v.split(':', 1) for v in splitstrip(source_config['user-attrs-map'])) + self.user_filter = source_config.get('user-filter') self.user_rev_attrs = {'eid': 'dn'} for ldapattr, cwattr in self.user_attrs.items(): self.user_rev_attrs[cwattr] = ldapattr - self.base_filters = [filter_format('(%s=%s)', ('objectClass', o)) - for o in self.user_classes] + self.base_filters = self._make_base_filters() self._conn = None self._cache = {} # ttlm is in minutes! @@ -194,6 +200,13 @@ source_config.get('synchronization-interval', 24*60*60)) + def _make_base_filters(self): + filters = [filter_format('(%s=%s)', ('objectClass', o)) + for o in self.user_classes] + if self.user_filter: + filters += [self.user_filter] + return filters + def reset_caches(self): """method called during test to reset potential source caches""" self._cache = {} @@ -287,8 +300,7 @@ # we really really don't want that raise AuthenticationError() searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))] - searchfilter.extend([filter_format('(%s=%s)', ('objectClass', o)) - for o in self.user_classes]) + searchfilter.extend(self._make_base_filters()) searchstr = '(&%s)' % ''.join(searchfilter) # first search the user try: