MAN: Detailed ldap_group_nesting_level option

Resolves:
https://fedorahosted.org/sssd/ticket/2294

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3c1899348804713b49ba9c1f2bc782892c47c2fa)

1 files changed, 16 insertions, 0 deletions

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index b271a2b7f..9c3eae07f 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -880,6 +880,22 @@
                             RFC2307 schema.
                         </para>
                         <para>
+                          Note: This option specifies the guaranteed level of
+                          nested groups to be processed for any lookup. However,
+                          nested groups beyond this limit
+                          <emphasis>may be</emphasis> returned if previous
+                          lookups already resolved the deeper nesting levels.
+                          Also, subsequent lookups for other groups may enlarge
+                          the result set for original lookup if re-queried.
+                        </para>
+                        <para>
+                          If ldap_group_nesting_level is set to 0 then no
+                          nested groups are processed at all. However, when
+                          connected to Active-Directory Server 2008 and later
+                          it is furthermore required to disable usage of
+                          Token-Groups by setting ldap_use_tokengroups to false.
+                        </para>
+                        <para>
                             Default: 2
                         </para>
                     </listitem>