summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPavel Reichl <preichl@redhat.com>2014-04-10 16:25:45 +0100
committerJakub Hrozek <jhrozek@redhat.com>2014-06-02 19:20:59 +0200
commit9fd8065663084acaf88e7fe10a52c60e9a2a5411 (patch)
treebe6abde20bbac930cf0050109477850720454d37 /src
parent59af140ef81f6d0f10db9549089998f5e05631cb (diff)
downloadsssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.tar.gz
sssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.tar.xz
sssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.zip
MAN: hint nested groups by simple access provider
sssd-ldap hints to use the simple access provider if a nested group membership is needed. Add explicit notice in sssd-simple about support of nested group membership. Resolves: https://fedorahosted.org/sssd/ticket/2308 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Diffstat (limited to 'src')
-rw-r--r--src/man/sssd-ldap.5.xml9
-rw-r--r--src/man/sssd-simple.5.xml14
2 files changed, 22 insertions, 1 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index ef6bd7448..d0f3467ea 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1854,7 +1854,14 @@
users being denied access.
Use access_provider = permit to change this default
behavior. Please note that this filter is applied on
- the LDAP user entry only.
+ the LDAP user entry only and thus filtering based
+ on nested groups may not work (e.g. memberOf
+ attribute on AD entries points only to direct
+ parents). If filtering based on nested groups
+ is required, please see
+ <citerefentry>
+ <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>.
</para>
<para>
Example:
diff --git a/src/man/sssd-simple.5.xml b/src/man/sssd-simple.5.xml
index 8f94990da..0d677bd29 100644
--- a/src/man/sssd-simple.5.xml
+++ b/src/man/sssd-simple.5.xml
@@ -144,6 +144,20 @@
</para>
</refsect1>
+ <refsect1 id='notes'>
+ <title>NOTES</title>
+ <para>
+ The complete group membership hierarchy is resolved
+ before the access check, thus even nested groups can be
+ included in the access lists. Please be aware that the
+ <quote>ldap_group_nesting_level</quote> option may impact the
+ results and should be set to a sufficient value.
+ (<citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>) option.
+ </para>
+ </refsect1>
+
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
</refentry>