From 7bc14683bbb99294b77ab9d8d5bb92dafcf5cb51 Mon Sep 17 00:00:00 2001
From: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Date: Thu, 16 Jun 2016 19:32:36 +0100
Subject: [PATCH] rlm_winbind: add group search settings

---
 raddb/mods-available/winbind          | 29 +++++++++++++++++++++++++++
 src/modules/rlm_winbind/rlm_winbind.c |  8 ++++++++
 src/modules/rlm_winbind/rlm_winbind.h | 10 ++++++++-
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/raddb/mods-available/winbind b/raddb/mods-available/winbind
index a084abeb0955..2d0036233787 100644
--- a/raddb/mods-available/winbind
+++ b/raddb/mods-available/winbind
@@ -26,6 +26,35 @@ winbind {
 	winbind_domain = ""
 
 
+	# Group membership checking
+	#
+	group {
+		# AD username to search for group searches
+		#
+		# This should generally not include a realm, so
+		# Stripped-User-Name is likely the best attribute
+		# if it exists.
+		#
+		group_search_username = "%{%{Stripped-User-Name}:-%{User-Name}}"
+
+		# Include the domain in group searches?
+		#
+		# When this is enabled, winbind_domain is prepended to the
+		# username (as domain\username) before searching. This is
+		# generally required.
+		#
+		#group_add_domain = yes
+
+		# Attribute to use for group comparisons.
+		#
+		# This will normally be "Winbind-Group" if this instance is
+		# unnamed, otherwise it will be "name-Winbind-Group". The
+		# name of this attribute can be overridden here.
+		#
+		#group_attribute = "Winbind-Group"
+	}
+
+
 	# Information for the winbind connection pool. The configuration
 	# items below are the same for all modules which use the new
 	# connection pool.
diff --git a/src/modules/rlm_winbind/rlm_winbind.c b/src/modules/rlm_winbind/rlm_winbind.c
index 1646e7781430..875eb1d70fed 100644
--- a/src/modules/rlm_winbind/rlm_winbind.c
+++ b/src/modules/rlm_winbind/rlm_winbind.c
@@ -34,9 +34,17 @@ RCSID("$Id$")
 #include "rlm_winbind.h"
 #include "auth_wbclient_pap.h"
 
+static const CONF_PARSER group_config[] = {
+	{ FR_CONF_OFFSET("group_search_username", PW_TYPE_TMPL, rlm_winbind_t, group_username) },
+	{ FR_CONF_OFFSET("group_add_domain", PW_TYPE_BOOLEAN, rlm_winbind_t, group_add_domain), .dflt = "yes" },
+	{ FR_CONF_OFFSET("group_attribute", PW_TYPE_STRING, rlm_winbind_t, group_attribute) },
+	CONF_PARSER_TERMINATOR
+};
+
 static const CONF_PARSER module_config[] = {
 	{ FR_CONF_OFFSET("winbind_username", PW_TYPE_TMPL, rlm_winbind_t, wb_username) },
 	{ FR_CONF_OFFSET("winbind_domain", PW_TYPE_TMPL, rlm_winbind_t, wb_domain) },
+	{ FR_CONF_POINTER("group", PW_TYPE_SUBSECTION, NULL), .subcs = (void const *) group_config },
 	CONF_PARSER_TERMINATOR
 };
 
diff --git a/src/modules/rlm_winbind/rlm_winbind.h b/src/modules/rlm_winbind/rlm_winbind.h
index e60c4983189b..086de4b29f53 100644
--- a/src/modules/rlm_winbind/rlm_winbind.h
+++ b/src/modules/rlm_winbind/rlm_winbind.h
@@ -11,9 +11,17 @@
  *      Structure for the module configuration.
  */
 typedef struct rlm_winbind_t {
+	char const		*name;
+	fr_connection_pool_t    *wb_pool;
+
+	/* main config */
 	vp_tmpl_t		*wb_username;
 	vp_tmpl_t		*wb_domain;
-	fr_connection_pool_t    *wb_pool;
+
+	/* group config */
+	vp_tmpl_t		*group_username;
+	bool			group_add_domain;
+	char const		*group_attribute;
 } rlm_winbind_t;
 
 #endif