>From 7d74accb1f452d202d4fae524db1a14ebb314df2 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 24 Feb 2014 19:42:23 +0100 Subject: [PATCH] MAN: Clarify the ldap_access_filter option further https://fedorahosted.org/sssd/ticket/2235 The memberof example was misleading and was making aministrators think that the ldap_access_filter can resolve nested group memberships. --- src/man/sssd-ldap.5.xml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 9e572836d79d84615712943382b0348ecc544e61..46b2972b89915f7f4389487e51af1ed73f279bb7 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1782,7 +1782,7 @@ access_provider = ldap -ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com +ldap_access_filter = (employeeType=admin) This example means that access to this host is @@ -1790,6 +1790,19 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com in ldap. + Please note that this filter is applied on the + LDAP user entry only. As an example, with many + directory servers (notably Active Directory), + the memberOf attribute only + includes the direct membership. If the directory + uses nested groups, the simple access provider + is often a better choice. See + the + sssd-simple + 5 + manual page for more information. + + Offline caching for this feature is limited to determining whether the user's last online login was granted access permission. If they were -- 1.8.5.3