diff --git a/config-templates/authsources.php b/config-templates/authsources.php
index 4c3054d848a00e7d0e09573be3f2930f8ef8773c..44a3933553e5bfaa8327bd47dc8128f36575c006 100644
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -303,6 +303,9 @@ $config = array(
// array of strings, in which case they will be searched in the order given.
'search.base' => 'ou=people,dc=example,dc=org',
+ // Additional LDAP filters appended to the default search
+ 'search.filter' => '(objectclass=inetorgperson)',
+
// The attribute(s) the username should match against.
//
// This is an array with one or more attribute names. Any of the attributes in
diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php
index 794e84392e8dacd71102f34539506578df2ce7f3..986c3972201c6b63b6693e4dd9adb3fbb4f1bdae 100644
--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -202,7 +202,7 @@ class SimpleSAML_Auth_LDAP {
* @throws SimpleSAML_Error_UserNotFound if:
* - Zero entries was found
*/
- private function search($base, $attribute, $value) {
+ private function search($base, $attribute, $value, $searchFilter=NULL) {
// Create the search filter
$attribute = self::escape_filter_value($attribute, FALSE);
@@ -213,6 +213,11 @@ class SimpleSAML_Auth_LDAP {
}
$filter = '(|' . $filter . ')';
+ // Append LDAP filters if defined
+ if ($searchFilter!=NULL) {
+ $filter = "(&".$filter."".$searchFilter.")";
+ }
+
// Search using generated filter
SimpleSAML_Logger::debug('Library - LDAP search(): Searching base \'' . $base . '\' for \'' . $filter . '\'');
// TODO: Should aliases be dereferenced?
@@ -271,7 +276,7 @@ class SimpleSAML_Auth_LDAP {
* - $allowZeroHits er TRUE and no result is found
*
*/
- public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE) {
+ public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE, $searchFilter = NULL) {
// Traverse all search bases, returning DN if found
$bases = SimpleSAML\Utils\Arrays::arrayize($base);
@@ -279,7 +284,8 @@ class SimpleSAML_Auth_LDAP {
foreach ($bases AS $current) {
try {
// Single base search
- $result = $this->search($current, $attribute, $value);
+ $result = $this->search($current, $attribute, $value, $searchFilter);
+
// We don't hawe to look any futher if user is found
if (!empty($result)) {
return $result;
diff --git a/modules/ldap/lib/ConfigHelper.php b/modules/ldap/lib/ConfigHelper.php
index c39d1ddd178ae58b94c8f2ec550bb7e90379bbe4..ec6757ca19e3b7f9916daaac000edf588da468d3 100644
--- a/modules/ldap/lib/ConfigHelper.php
+++ b/modules/ldap/lib/ConfigHelper.php
@@ -81,6 +81,10 @@ class sspmod_ldap_ConfigHelper {
*/
private $searchBase;
+ /**
+ * Additional LDAP filter fields for the search
+ */
+ private $searchFilter;
/**
* The attributes which should match the username.
@@ -149,6 +153,7 @@ class sspmod_ldap_ConfigHelper {
}
$this->searchBase = $config->getArrayizeString('search.base');
+ $this->searchFilter = $config->getString('search.filter',NULL);
$this->searchAttributes = $config->getArray('search.attributes');
} else {
@@ -197,7 +202,7 @@ class sspmod_ldap_ConfigHelper {
}
}
- $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE);
+ $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE, $this->searchFilter);
if ($dn === NULL) {
/* User not found with search. */
SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\'');