MAN: Clarify the ldap_access_filter option further

https://fedorahosted.org/sssd/ticket/2235

The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 604d46e028ab62f83060fb88bdd3319a31aca2d1)

1 files changed, 5 insertions, 4 deletions

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index cc58544c3..b271a2b7f 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1775,19 +1775,20 @@
                             and this option is not set, it will result in all
                             users being denied access.
                             Use access_provider = permit to change this default
-                            behavior.
+                            behavior. Please note that this filter is applied on
+                            the LDAP user entry only.
                         </para>
                         <para>
                             Example:
                         </para>
                         <programlisting>
 access_provider = ldap
-ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
+ldap_access_filter = (employeeType=admin)
                         </programlisting>
                         <para>
                             This example means that access to this host is
-                            restricted to members of the "allowedusers" group
-                            in ldap.
+                            restricted to users whose employeeType
+                            attribute is set to "admin".
                         </para>
                         <para>
                             Offline caching for this feature is limited to