On Thu, Apr 10, 2014 at 05:47:33PM +0200, Pavel Reichl wrote: > Hello, > > please see attached patches. > > I'm not sure that the 2nd patch is needed to fulfill the ticket > requirements. (https://fedorahosted.org/sssd/ticket/2308) > > Pavel Reichl > >
> From 31e951439e1f2215adb64e4409c717ac759e397c Mon Sep 17 00:00:00 2001 > From: Pavel Reichl <prei...@redhat.com> > Date: Thu, 10 Apr 2014 16:25:45 +0100 > Subject: [PATCH 1/2] MAN: hint nested groups by simple access provider > > sssd-ldap hints to use the simple access provider if a nested group membership > is needed. > > Resolves: > https://fedorahosted.org/sssd/ticket/2308 > --- > src/man/sssd-ldap.5.xml | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml > index > f93b418c45d9bcd32499860a858c3f829bb245ca..8b41a67c7728851480cd0631a9ad9239f1e320a9 > 100644 > --- a/src/man/sssd-ldap.5.xml > +++ b/src/man/sssd-ldap.5.xml > @@ -1799,6 +1799,15 @@ ldap_access_filter = (employeeType=admin) > vice-versa. > </para> > <para> > + Please note that the nested group membership is > not > + supported by the ldap access provider, however, > it > + is supported by the simple access provider. See > + > <citerefentry><refentrytitle>sssd-simple</refentrytitle> > + <manvolnum>5</manvolnum></citerefentry> manual > + page for more information about the simple access > + provider. > + </para> > + <para> > Default: Empty > </para> > </listitem> This is not accurate. The root of the problem is not nested group membership not being supported, but the fact that the filter is applied on the user entry. The user entry would contain the group memberships in the 'memberof' attribute, but typically (notably in AD), the memberof attribute only points to the direct parents. Some servers (IPA) include also the parent groups in the memberof attribute, so the ldap_access_filter would work OK for those. I think we could just expand on the last sentence in the opening paragraph (currently it says "...applied on the LDAP user entry only). > -- > 1.8.4.2 > > From 417bedfdfb47127cdeb6bd17c91401cabdf3132b Mon Sep 17 00:00:00 2001 > From: Pavel Reichl <prei...@redhat.com> > Date: Thu, 10 Apr 2014 16:30:03 +0100 > Subject: [PATCH 2/2] MAN: sssd-simple - nested group membership support > > Explicit notice in sssd-simple about support of nested group membership. > > Resolves: > https://fedorahosted.org/sssd/ticket/2308 > --- > src/man/sssd-simple.5.xml | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/src/man/sssd-simple.5.xml b/src/man/sssd-simple.5.xml > index > 8f94990da9d94dca2f6b5730aaab6b4468fed487..4843e12da6900fe6c784e36d4001d319d42c749c > 100644 > --- a/src/man/sssd-simple.5.xml > +++ b/src/man/sssd-simple.5.xml > @@ -144,6 +144,13 @@ > </para> > </refsect1> > > + <refsect1 id='notes'> > + <title>NOTES</title> > + <para> > + The simple access provider supports a nested group membership. > + </para> > + </refsect1> > + > <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; > href="include/seealso.xml" /> > > </refentry> > -- > 1.8.4.2 > Maybe we should say a bit more, something like "the complete group memberships are resolved before the access check, so even nested groups can be included in the access lists" ? _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
