|
|
2fc102 |
From af16267fc9d681fc4230fa82a9fe86de9491c8fd Mon Sep 17 00:00:00 2001
|
|
|
2fc102 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
2fc102 |
Date: Mon, 24 Feb 2014 19:42:23 +0100
|
|
|
2fc102 |
Subject: [PATCH 98/99] MAN: Clarify the ldap_access_filter option further
|
|
|
2fc102 |
|
|
|
2fc102 |
https://fedorahosted.org/sssd/ticket/2235
|
|
|
2fc102 |
|
|
|
2fc102 |
The memberof example was misleading and was making aministrators think
|
|
|
2fc102 |
that the ldap_access_filter can resolve nested group memberships.
|
|
|
2fc102 |
|
|
|
2fc102 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
2fc102 |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
2fc102 |
(cherry picked from commit 604d46e028ab62f83060fb88bdd3319a31aca2d1)
|
|
|
2fc102 |
---
|
|
|
2fc102 |
src/man/sssd-ldap.5.xml | 9 +++++----
|
|
|
2fc102 |
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
2fc102 |
|
|
|
2fc102 |
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
|
2fc102 |
index cc58544c38e8ffa779f0a1b22a69caaf3f193ce1..b271a2b7fa8b19ac3e4475bd8ca634b0414f5ea4 100644
|
|
|
2fc102 |
--- a/src/man/sssd-ldap.5.xml
|
|
|
2fc102 |
+++ b/src/man/sssd-ldap.5.xml
|
|
|
2fc102 |
@@ -1775,19 +1775,20 @@
|
|
|
2fc102 |
and this option is not set, it will result in all
|
|
|
2fc102 |
users being denied access.
|
|
|
2fc102 |
Use access_provider = permit to change this default
|
|
|
2fc102 |
- behavior.
|
|
|
2fc102 |
+ behavior. Please note that this filter is applied on
|
|
|
2fc102 |
+ the LDAP user entry only.
|
|
|
2fc102 |
</para>
|
|
|
2fc102 |
<para>
|
|
|
2fc102 |
Example:
|
|
|
2fc102 |
</para>
|
|
|
2fc102 |
<programlisting>
|
|
|
2fc102 |
access_provider = ldap
|
|
|
2fc102 |
-ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
|
|
|
2fc102 |
+ldap_access_filter = (employeeType=admin)
|
|
|
2fc102 |
</programlisting>
|
|
|
2fc102 |
<para>
|
|
|
2fc102 |
This example means that access to this host is
|
|
|
2fc102 |
- restricted to members of the "allowedusers" group
|
|
|
2fc102 |
- in ldap.
|
|
|
2fc102 |
+ restricted to users whose employeeType
|
|
|
2fc102 |
+ attribute is set to "admin".
|
|
|
2fc102 |
</para>
|
|
|
2fc102 |
<para>
|
|
|
2fc102 |
Offline caching for this feature is limited to
|
|
|
2fc102 |
--
|
|
|
2fc102 |
1.8.5.3
|
|
|
2fc102 |
|