URL: https://github.com/SSSD/sssd/pull/60
Author: taupehat
Title: #60: Document ad_access_filter search for nested groups
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/60/head:pr60
git checkout pr60
From 1c1a849a72ef0dd8778b009e9964fe2b0c8beaa6 Mon Sep 17 00:00:00 2001
From: taupehat
Date: Wed, 19 Oct 2016 09:42:34 -0700
Subject: [PATCH 1/2] ad_access_filter search for nested groups
Includes instructions and example
---
src/man/sssd-ad.5.xml | 9 +
1 file changed, 9 insertions(+)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 8a2f4ad..b52cae0 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -235,6 +235,12 @@ ad_enabled_domains = sales.example.com, eng.example.com
? character, similarly to how
search bases work.
+
+Nested group membership must be searched for using
+a special OID :1.2.840.113556.1.4.1941:.
+If you do not use this OID then nested group membership
+will not be resolved. See example below.
+
The most specific match is always used. For
example, if the option specified filter
@@ -255,6 +261,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
# apply filter on forest called EXAMPLE.COM only:
FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
+
+# apply filter for a member of a nested group in dom1:
+DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
Default: Not set
From 86665d4eace4da2e2817ef01d6dcc31a6c7da87a Mon Sep 17 00:00:00 2001
From: taupehat
Date: Tue, 25 Oct 2016 14:31:12 -0700
Subject: [PATCH 2/2] Further documentation of AD nested group access
---
src/man/sssd-ad.5.xml | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index b52cae0..01cff3f 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -237,9 +237,14 @@ ad_enabled_domains = sales.example.com, eng.example.com
Nested group membership must be searched for using
-a special OID :1.2.840.113556.1.4.1941:.
-If you do not use this OID then nested group membership
-will not be resolved. See example below.
+a special OID :1.2.840.113556.1.4.1941:
+in addition to the full DOM:domain.example.org: syntax
+to ensure the parser does not attempt to interpret the
+colon characters associated with the OID. If you do not
+use this OID then nested group membership will not be
+resolved. See usage example below and refer here
+for further information about the OID:
+https://msdn.microsoft.com/en-us/library/cc223367.aspx
The most specific match is always used. For
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org