ldap: Fallback option for rfc2307 schema

Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
author: Simo Sorce <simo@redhat.com> 2013-03-15 15:27:31 -0400
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-03-20 11:49:50 +0100
commit: fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934 (patch)
tree: 333f20454afe5782e569a41d929631d938905151 /src/man
parent: dfd71fc92db940b2892cc996911cec03d7b6c52b (diff)
download: sssd-fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934.tar.gz
sssd-fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934.tar.xz
sssd-fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934.zip
1 files changed, 31 insertions, 0 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index c1553c736..799213300 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1810,6 +1810,37 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
                         </para>
                     </listitem>
                 </varlistentry>
+
+                <varlistentry>
+                    <term>ldap_rfc2307_fallback_to_local_users (boolean)</term>
+                    <listitem>
+                        <para>
+                            Allows to retain local users as members of an LDAP
+                            group for servers that use the RFC2307 schema.
+                        </para>
+                        <para>
+                            In some environments where the RFC2307 schema is
+                            used, local users are made members of LDAP groups
+                            by adding their names to the memberUid attribute.
+                            The self-consistency of the domain is compromised
+                            when this is done, so SSSD would normally remove
+                            the "missing" users from the cached group
+                            memberships as soon as nsswitch tries to fetch
+                            information about the user via getpw*() or
+                            initgroups() calls.
+                        </para>
+                        <para>
+                            This option falls back to checking if local users
+                            are referenced, and caches them so that later
+                            initgroups() calls will augment the local users
+                            with the additional LDAP groups.
+                       </para>
+                        <para>
+                            Default: false
+                        </para>
+                    </listitem>
+                </varlistentry>
+
             </variablelist>
         </para>
     </refsect1>
author	Simo Sorce <simo@redhat.com>	2013-03-15 15:27:31 -0400
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-03-20 11:49:50 +0100
commit	fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934 (patch)
tree	333f20454afe5782e569a41d929631d938905151 /src/man
parent	dfd71fc92db940b2892cc996911cec03d7b6c52b (diff)
download	sssd-fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934.tar.gz sssd-fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934.tar.xz sssd-fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934.zip