On Wed, Feb 26, 2014 at 11:14:33AM -0500, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/26/2014 10:08 AM, Jakub Hrozek wrote:
> > On Mon, Feb 24, 2014 at 07:47:08PM +0100, Jakub Hrozek wrote:
> >> The attached patch addresses:
> >>
https://fedorahosted.org/sssd/ticket/2235
> >>
> >> The memberof example was misleading and was making aministrators
> >> think that the ldap_access_filter can resolve nested group
> >> memberships.
> >>
> >> The alternative I was considering was changing the example to use
> >> a different attribute altogether, but I was struggling to come up
> >> with an example that wouldn't be too artificial (like
> >> ldap_access_filter=/bin/bash).
> >
> > Stephen's review seems to be stuck in mailman queue, so I'm sending
> > a patch that contains his suggestion as a reply to myself.
> >
> > The employeeType attribute Stephen suggested is a good choice, I
> > think.
> >
>
> If we're changing the cited example, I'm not sure we need to call out
> the memberOf example anymore.
Hmm, initially I wanted to keep it in, because memberOf is what I see
used mostly in the field but you're right that when I don't think about
the context of the change and just read the man page text, it is
confusing to start talking about memberOf.
Another iteration of the patch is attached.
Yet another version that retains a part of the paragraph (.."applied on
the LDAP entry only..") and changes description of the example.