From d3b1ed808665ba63bbb45cd4d9aa380916ed1b65 Mon Sep 17 00:00:00 2001
From: Dan Lavu <dlavu@redhat.com>
Date: Tue, 11 Nov 2014 15:46:51 -0500
Subject: [PATCH 094/104] MAN: page edit for ldap_use_tokengroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves:
https://fedorahosted.org/sssd/ticket/2448

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/man/sssd-ldap.5.xml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index d7a2a4ac9fa2497a4c347a2a7e77703e53b8a46c..5b36f69a679a1362290d8fea1f4c8fc29cc548d8 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -2482,7 +2482,18 @@ ldap_access_filter = (employeeType=admin)
                     <term>ldap_group_search_base (string)</term>
                     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_search_bases.xml" />
                 </varlistentry>
-
+            </variablelist>
+            <variablelist>
+                <note>
+                    <para>
+                        If the option <quote>ldap_use_tokengroups</quote> is
+                        enabled. The searches against Active Directory will
+                        not be restricted and return all groups memberships,
+                        even with no gid mapping. It is recommended to disable
+                        this feature, if group names are not being displayed
+                        correctly.
+                    </para>
+                </note>
                 <varlistentry condition="with_sudo">
                     <term>ldap_sudo_search_base (string)</term>
                     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_search_bases.xml" />
-- 
1.9.3