+### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
+LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
+ECHO=$(which echo)
+
+if [[ $user == pub ]]; then
+ ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
+ while read line ;
+ do
+ if [ ! -z "$line" ]; then
+ if [[ $line == dn* ]]; then
+ echo ""
+ user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+ echo "# $user"
+ elif [[ $line == $KEY* ]]; then
+ key=$(clean_key_line pub "$line")
+ key_forward=$(clean_key_line forward "$line")
+ if [ ! -z "$key" ]; then
+ if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+ echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
+ echo $key
+ fi
+ elif [ ! -z "$key_forward" ]; then
+ if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then
+ echo "# forward only"
+ echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+ echo $key_forward
+ fi
+ fi
+ fi
+ fi
+ done
+
+ echo ""
+ ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
+ while read line ;
+ do
+ if [ ! -z "$line" ]; then
+ if [[ $line == dn* ]]; then
+ echo ""
+ user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+ echo "# $user"
+ elif [[ $line == $KEY* ]]; then
+ key=$(clean_key_line forward "$line")
+ if [ ! -z "$key" ]; then
+ if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+ echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+ echo $key
+ fi
+ fi
+ fi
+ fi
+ done
+ exit 0
+fi
+