rlm_winbind: add group search settings

FreeRADIUS · Jun 17, 2016 · 7bc1468 · 7bc1468
1 parent 7c16a03
commit 7bc1468
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/raddb/mods-available/winbind b/raddb/mods-available/winbind
@@ -26,6 +26,35 @@ winbind {
 	winbind_domain = ""
 
 
+	# Group membership checking
+	#
+	group {
+		# AD username to search for group searches
+		#
+		# This should generally not include a realm, so
+		# Stripped-User-Name is likely the best attribute
+		# if it exists.
+		#
+		group_search_username = "%{%{Stripped-User-Name}:-%{User-Name}}"
+
+		# Include the domain in group searches?
+		#
+		# When this is enabled, winbind_domain is prepended to the
+		# username (as domain\username) before searching. This is
+		# generally required.
+		#
+		#group_add_domain = yes
+
+		# Attribute to use for group comparisons.
+		#
+		# This will normally be "Winbind-Group" if this instance is
+		# unnamed, otherwise it will be "name-Winbind-Group". The
+		# name of this attribute can be overridden here.
+		#
+		#group_attribute = "Winbind-Group"
+	}
+
+
 	# Information for the winbind connection pool. The configuration
 	# items below are the same for all modules which use the new
 	# connection pool.

diff --git a/src/modules/rlm_winbind/rlm_winbind.c b/src/modules/rlm_winbind/rlm_winbind.c
@@ -34,9 +34,17 @@ RCSID("$Id$")
 #include "rlm_winbind.h"
 #include "auth_wbclient_pap.h"
 
+static const CONF_PARSER group_config[] = {
+	{ FR_CONF_OFFSET("group_search_username", PW_TYPE_TMPL, rlm_winbind_t, group_username) },
+	{ FR_CONF_OFFSET("group_add_domain", PW_TYPE_BOOLEAN, rlm_winbind_t, group_add_domain), .dflt = "yes" },
+	{ FR_CONF_OFFSET("group_attribute", PW_TYPE_STRING, rlm_winbind_t, group_attribute) },
+	CONF_PARSER_TERMINATOR
+};
+
 static const CONF_PARSER module_config[] = {
 	{ FR_CONF_OFFSET("winbind_username", PW_TYPE_TMPL, rlm_winbind_t, wb_username) },
 	{ FR_CONF_OFFSET("winbind_domain", PW_TYPE_TMPL, rlm_winbind_t, wb_domain) },
+	{ FR_CONF_POINTER("group", PW_TYPE_SUBSECTION, NULL), .subcs = (void const *) group_config },
 	CONF_PARSER_TERMINATOR
 };
 

diff --git a/src/modules/rlm_winbind/rlm_winbind.h b/src/modules/rlm_winbind/rlm_winbind.h
@@ -11,9 +11,17 @@
  *      Structure for the module configuration.
  */
 typedef struct rlm_winbind_t {
+	char const		*name;
+	fr_connection_pool_t    *wb_pool;
+
+	/* main config */
 	vp_tmpl_t		*wb_username;
 	vp_tmpl_t		*wb_domain;
-	fr_connection_pool_t    *wb_pool;
+
+	/* group config */
+	vp_tmpl_t		*group_username;
+	bool			group_add_domain;
+	char const		*group_attribute;
 } rlm_winbind_t;
 
 #endif