diff --git a/example/plugins/microservices/ldap_attribute_store.yaml.example b/example/plugins/microservices/ldap_attribute_store.yaml.example index 4efe85072..033737924 100644 --- a/example/plugins/microservices/ldap_attribute_store.yaml.example +++ b/example/plugins/microservices/ldap_attribute_store.yaml.example @@ -84,6 +84,13 @@ config: ldap_identifier_attribute: uid + # Override the contructed search_filter with ldap_identifier_attribute + # with an own filter. This allows more complex queries. + # {0} will be injected with the ordered_identifier_candidates. + # For example: + # search_filter: "(&(uid={0})(isMemberOf=authorized))" + search_filter: None + # Whether to clear values for attributes incoming # to this microservice. Default is no or false. clear_input_attributes: no diff --git a/src/satosa/micro_services/ldap_attribute_store.py b/src/satosa/micro_services/ldap_attribute_store.py index 6d61559b1..d5c1f05eb 100644 --- a/src/satosa/micro_services/ldap_attribute_store.py +++ b/src/satosa/micro_services/ldap_attribute_store.py @@ -46,6 +46,7 @@ class LdapAttributeStore(ResponseMicroService): "clear_input_attributes": False, "ignore": False, "ldap_identifier_attribute": None, + "search_filter": None, "ldap_url": None, "ldap_to_internal_map": None, "on_ldap_search_result_empty": None, @@ -473,8 +474,11 @@ def process(self, context, data): logger.debug(logline) for filter_val in filter_values: - ldap_ident_attr = config["ldap_identifier_attribute"] - search_filter = "({0}={1})".format(ldap_ident_attr, filter_val) + if config["search_filter"]: + search_filter = config["search_filter"].format(filter_val) + else: + ldap_ident_attr = config["ldap_identifier_attribute"] + search_filter = "({0}={1})".format(ldap_ident_attr, filter_val) msg = { "message": "LDAP query with constructed search filter", "search filter": search_filter,