From bf4ddcde94fc36b44bc9cbcc5d56e6e35776bfc9 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Wed, 30 Sep 2015 18:34:44 +0300
Subject: man: Note filter_groups are not affecting nesting

Note that the "filter_groups" option doesn't affect nested member
inheritance, on the sssd.conf(5) manpage.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/man/sssd.conf.5.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/man')

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 5a7bdc91b..573f421a7 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -589,6 +589,14 @@ subdomain_inherit = ldap_purge_cache_timeout
                             be set per-domain or include fully-qualified names
                             to filter only users from the particular domain.
                         </para>
+                        <para>
+                            NOTE: The filter_groups option doesn't affect
+                            inheritance of nested group members, since
+                            filtering happens after they are propagated for
+                            returning via NSS. E.g. a group having a member
+                            group filtered out will still have the member
+                            users of the latter listed.
+                        </para>
                         <para>
                             Default: root
                         </para>
-- 
cgit