On Wed, Apr 29, 2015 at 04:35:29PM +0000, Sterling Sahaydak wrote:
Thanks Jakub.
Hmmm, not sure I understand, can you elaborate with an example using
dc=ad,dc=example,dc=com?
Well, your example used:
ldap_access_filter = memberof=cn=groupname,ou=groups,dc=ad,dc=example,dc=com
Which reads to me as 'only allow users who are members of groupname'.
The same could be specified as:
access_provider = simple
simple_allow_groups = groupname
The difference is if there was another intermediate group between the
user and groupname:
user -> foogr -> groupname
Then AFAIU user would only have memberof:cn=foogr in his LDAP attribute
in AD, so the access filter wouldn't match. In contrast, the simple
access provider is called after all the group memberships are evaluated,
so it would work even with group nesting.