On Wed, Feb 26, 2014 at 05:22:51PM +0100, Jakub Hrozek wrote:
> On Wed, Feb 26, 2014 at 11:14:33AM -0500, Stephen Gallagher wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 02/26/2014 10:08 AM, Jakub Hrozek wrote:
> > > On Mon, Feb 24, 2014 at 07:47:08PM +0100, Jakub Hrozek wrote:
> > >> The attached patch addresses:
> > >>
https://fedorahosted.org/sssd/ticket/2235
> > >>
> > >> The memberof example was misleading and was making aministrators
> > >> think that the ldap_access_filter can resolve nested group
> > >> memberships.
> > >>
> > >> The alternative I was considering was changing the example to use
> > >> a different attribute altogether, but I was struggling to come up
> > >> with an example that wouldn't be too artificial (like
> > >> ldap_access_filter=/bin/bash).
> > >
> > > Stephen's review seems to be stuck in mailman queue, so I'm
sending
> > > a patch that contains his suggestion as a reply to myself.
> > >
> > > The employeeType attribute Stephen suggested is a good choice, I
> > > think.
> > >
> >
> > If we're changing the cited example, I'm not sure we need to call out
> > the memberOf example anymore.
>
> Hmm, initially I wanted to keep it in, because memberOf is what I see
> used mostly in the field but you're right that when I don't think about
> the context of the change and just read the man page text, it is
> confusing to start talking about memberOf.
>
> Another iteration of the patch is attached.
Yet another version that retains a part of the paragraph (.."applied on
the LDAP entry only..") and changes description of the example.