From af16267fc9d681fc4230fa82a9fe86de9491c8fd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 24 Feb 2014 19:42:23 +0100
Subject: [PATCH 98/99] MAN: Clarify the ldap_access_filter option further
https://fedorahosted.org/sssd/ticket/2235
The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 604d46e028ab62f83060fb88bdd3319a31aca2d1)
---
src/man/sssd-ldap.5.xml | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index cc58544c38e8ffa779f0a1b22a69caaf3f193ce1..b271a2b7fa8b19ac3e4475bd8ca634b0414f5ea4 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1775,19 +1775,20 @@
and this option is not set, it will result in all
users being denied access.
Use access_provider = permit to change this default
- behavior.
+ behavior. Please note that this filter is applied on
+ the LDAP user entry only.
</para>
<para>
Example:
</para>
<programlisting>
access_provider = ldap
-ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
+ldap_access_filter = (employeeType=admin)
</programlisting>
<para>
This example means that access to this host is
- restricted to members of the "allowedusers" group
- in ldap.
+ restricted to users whose employeeType
+ attribute is set to "admin".
</para>
<para>
Offline caching for this feature is limited to
--
1.8.5.3