diff options
author | John Dickerson <jedicker@iastate.edu> | 2014-12-12 10:38:10 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-15 10:34:10 +0100 |
commit | dcaf214652568da55b1caf382e04f99b51a544f3 (patch) | |
tree | d9384ebfb7462f825f65e540f5685ad1b5d53434 | |
parent | b49c6abe12721ee8442be1c1bd6c15443b518ca2 (diff) | |
download | sssd-dcaf214652568da55b1caf382e04f99b51a544f3.tar.gz sssd-dcaf214652568da55b1caf382e04f99b51a544f3.tar.xz sssd-dcaf214652568da55b1caf382e04f99b51a544f3.zip |
MAN: Amend the description of ignore_group_members
The option description should hint that enabling this option may have a
positive effect on access control, especially with large groups.
See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example
where ignoring the group members helped.
Signed-off-by: Jakub Hrozek <jakub.hrozek@posteo.se>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
-rw-r--r-- | src/man/sssd.conf.5.xml | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 10d990419..5f8e7550b 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1487,7 +1487,25 @@ fallback_homedir = /home/%u If set to TRUE, the group membership attribute is not requested from the ldap server, and group members are not returned when processing - group lookup calls. + group lookup calls, such as + <citerefentry> + <refentrytitle>getgrnam</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry> + or + <citerefentry> + <refentrytitle>getgrgid</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry>. + As an effect, <quote>getent group + $groupname</quote> would return the requested + group as if it was empty. + </para> + <para> + Enabling this option can also make access + provider checks for group membership + significantly faster, especially for groups + containing many members. </para> <para> Default: FALSE |