subject:"\[SSSD\] \[sssd PR#60\]\[synchronized\] Document ad_access

[SSSD] [sssd PR#60][synchronized] Document ad_access_filter search for nested groups

2016-11-02 Thread taupehat

   URL: https://github.com/SSSD/sssd/pull/60
Author: taupehat
 Title: #60: Document ad_access_filter search for nested groups
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/60/head:pr60
git checkout pr60
From 5397dd8190747a2cb59884467d879662f6bae065 Mon Sep 17 00:00:00 2001
From: Mike Ely 
Date: Wed, 2 Nov 2016 11:26:21 -0700
Subject: [PATCH] ad_access_filter search for nested groups

Includes instructions and example for AD nested group access

Related to https://fedorahosted.org/sssd/ticket/3218

Signed-off-by: Mike Ely 
---
 src/man/sssd-ad.5.xml | 16 
 1 file changed, 16 insertions(+)

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 8a2f4ad..2618f83 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -236,6 +236,19 @@ ad_enabled_domains = sales.example.com, eng.example.com
 search bases work.
 
 
+Nested group membership must be searched for using
+a special OID :1.2.840.113556.1.4.1941:
+in addition to the full DOM:domain.example.org: syntax
+to ensure the parser does not attempt to interpret the
+colon characters associated with the OID. If you do not
+use this OID then nested group membership will not be
+resolved. See usage example below and refer here
+for further information about the OID:
+https://msdn.microsoft.com/en-us/library/cc223367.aspx;>
+[MS-ADTS] section LDAP extensions
+
+
 The most specific match is always used. For
 example, if the option specified filter
 for a domain the user is a member of and a
@@ -255,6 +268,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
 
 # apply filter on forest called EXAMPLE.COM only:
 FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
+
+# apply filter for a member of a nested group in dom1:
+DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
 
 
 Default: Not set
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#60][synchronized] Document ad_access_filter search for nested groups

2016-10-25 Thread taupehat

   URL: https://github.com/SSSD/sssd/pull/60
Author: taupehat
 Title: #60: Document ad_access_filter search for nested groups
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/60/head:pr60
git checkout pr60
From 1c1a849a72ef0dd8778b009e9964fe2b0c8beaa6 Mon Sep 17 00:00:00 2001
From: taupehat 
Date: Wed, 19 Oct 2016 09:42:34 -0700
Subject: [PATCH 1/2] ad_access_filter search for nested groups

Includes instructions and example
---
 src/man/sssd-ad.5.xml | 9 +
 1 file changed, 9 insertions(+)

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 8a2f4ad..b52cae0 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -235,6 +235,12 @@ ad_enabled_domains = sales.example.com, eng.example.com
 ? character, similarly to how
 search bases work.
 
+			
+Nested group membership must be searched for using
+a special OID :1.2.840.113556.1.4.1941:.
+If you do not use this OID then nested group membership
+will not be resolved. See example below.
+
 
 The most specific match is always used. For
 example, if the option specified filter
@@ -255,6 +261,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
 
 # apply filter on forest called EXAMPLE.COM only:
 FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
+
+# apply filter for a member of a nested group in dom1:
+DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
 
 
 Default: Not set

From 86665d4eace4da2e2817ef01d6dcc31a6c7da87a Mon Sep 17 00:00:00 2001
From: taupehat 
Date: Tue, 25 Oct 2016 14:31:12 -0700
Subject: [PATCH 2/2] Further documentation of AD nested group access

---
 src/man/sssd-ad.5.xml | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index b52cae0..01cff3f 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -237,9 +237,14 @@ ad_enabled_domains = sales.example.com, eng.example.com
 
 			
 Nested group membership must be searched for using
-a special OID :1.2.840.113556.1.4.1941:.
-If you do not use this OID then nested group membership
-will not be resolved. See example below.
+a special OID :1.2.840.113556.1.4.1941:
+in addition to the full DOM:domain.example.org: syntax
+to ensure the parser does not attempt to interpret the
+colon characters associated with the OID. If you do not
+use this OID then nested group membership will not be
+resolved. See usage example below and refer here
+for further information about the OID:
+https://msdn.microsoft.com/en-us/library/cc223367.aspx
 
 
 The most specific match is always used. For
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#60][synchronized] Document ad_access_filter search for nested groups

[SSSD] [sssd PR#60][synchronized] Document ad_access_filter search for nested groups

2 matches

Site Navigation

Mail list logo

Footer information