From 1e45bf20032b4d984e02487bb39cb61210063ea9 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 24 Feb 2014 19:42:23 +0100 Subject: MAN: Clarify the ldap_access_filter option further https://fedorahosted.org/sssd/ticket/2235 The memberof example was misleading and was making aministrators think that the ldap_access_filter can resolve nested group memberships. Reviewed-by: Sumit Bose Reviewed-by: Stephen Gallagher (cherry picked from commit 604d46e028ab62f83060fb88bdd3319a31aca2d1) --- src/man/sssd-ldap.5.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index cc58544c3..b271a2b7f 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1775,19 +1775,20 @@ and this option is not set, it will result in all users being denied access. Use access_provider = permit to change this default - behavior. + behavior. Please note that this filter is applied on + the LDAP user entry only. Example: access_provider = ldap -ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com +ldap_access_filter = (employeeType=admin) This example means that access to this host is - restricted to members of the "allowedusers" group - in ldap. + restricted to users whose employeeType + attribute is set to "admin". Offline caching for this feature is limited to -- cgit