MAN: hint nested groups by simple access provider

sssd-ldap hints to use the simple access provider if a nested group membership is needed. Add explicit notice in sssd-simple about support of nested group membership. Resolves: https://fedorahosted.org/sssd/ticket/2308 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
author: Pavel Reichl <preichl@redhat.com> 2014-04-10 16:25:45 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2014-06-02 19:20:59 +0200
commit: 9fd8065663084acaf88e7fe10a52c60e9a2a5411 (patch)
tree: be6abde20bbac930cf0050109477850720454d37 /src
parent: 59af140ef81f6d0f10db9549089998f5e05631cb (diff)
download: sssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.tar.gz
sssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.tar.xz
sssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.zip
2 files changed, 22 insertions, 1 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index ef6bd7448..d0f3467ea 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1854,7 +1854,14 @@
                             users being denied access.
                             Use access_provider = permit to change this default
                             behavior. Please note that this filter is applied on
-                            the LDAP user entry only.
+                            the LDAP user entry only and thus filtering based
+                            on nested groups may not work (e.g. memberOf
+                            attribute on AD entries points only to direct
+                            parents). If filtering based on nested groups
+                            is required, please see
+                            <citerefentry>
+                              <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum>
+                            </citerefentry>.
                         </para>
                         <para>
                             Example:
diff --git a/src/man/sssd-simple.5.xml b/src/man/sssd-simple.5.xml
index 8f94990da..0d677bd29 100644
--- a/src/man/sssd-simple.5.xml
+++ b/src/man/sssd-simple.5.xml
@@ -144,6 +144,20 @@
         </para>
     </refsect1>
 
+    <refsect1 id='notes'>
+        <title>NOTES</title>
+        <para>
+          The complete group membership hierarchy is resolved
+          before the access check, thus even nested groups can be
+          included in the access lists.  Please be aware that the
+          <quote>ldap_group_nesting_level</quote> option may impact the
+          results and should be set to a sufficient value.
+          (<citerefentry>
+               <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+          </citerefentry>) option.
+        </para>
+    </refsect1>
+
     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
 
 </refentry>
author	Pavel Reichl <preichl@redhat.com>	2014-04-10 16:25:45 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2014-06-02 19:20:59 +0200
commit	9fd8065663084acaf88e7fe10a52c60e9a2a5411 (patch)
tree	be6abde20bbac930cf0050109477850720454d37 /src
parent	59af140ef81f6d0f10db9549089998f5e05631cb (diff)
download	sssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.tar.gz sssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.tar.xz sssd-9fd8065663084acaf88e7fe10a52c60e9a2a5411.zip