On Mon, Jun 02, 2014 at 08:22:14AM -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 06/01/2014 04:09 PM, Jakub Hrozek wrote: > > On Fri, May 30, 2014 at 06:04:01PM +0200, Pavel Reichl wrote: > >> OK, please see updated patch. PR > > > > Thank you, from content point of view, this looks correct to me. > > > > Can you please ping some native English speaker before I push the > > patch? There are two parts below that I'm not sure about, but as I > > said, it's not about content, just ironing out the language. > > > > [snip] > > > >> @@ -1776,7 +1776,14 @@ users being denied access. Use > >> access_provider = permit to change this default behavior. Please > >> note that this filter is applied on - > >> the LDAP user entry only. + the LDAP > >> user entry only and thus filtering based + > >> on nested groups may not work (e.g. memberOf + > >> attribute on AD entries points only on direct > > "points only *to* direct parents" > > >> + parents). If nested group based > >> filtering is + desired please see > > > > "If filtering based on nested groups is required, please see" > > > > Maybe required instead of desired? > > > >> + <citerefentry> + > >> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> > >> > >> > + </citerefentry>. > >> </para> <para> Example: diff --git a/src/man/sssd-simple.5.xml > >> b/src/man/sssd-simple.5.xml index > >> 8f94990da9d94dca2f6b5730aaab6b4468fed487..5a0af337e3a45175aaa7a1a36fae5c1da2ead0c4 > >> 100644 --- a/src/man/sssd-simple.5.xml +++ > >> b/src/man/sssd-simple.5.xml @@ -144,6 +144,18 @@ </para> > >> </refsect1> > >> > >> + <refsect1 id='notes'> + <title>NOTES</title> + > >> <para> + The complete group memberships are resolved > >> before the access check, > > > > I'm not sure if "group memberships are" should read "group > > membership is", iow if it's better to use singular or plural > > here.. > > > > "The complete group membership hierarchy is resolved before the access > check, thus even nested groups..." > > > >> + so even nested groups can be included in the access > >> lists. Please be + aware of ldap_group_nesting_level > > > "Please be aware that the 'ldap_group_nesting_level' option may impact > the results and should be set to a sufficient value."
Thanks for the review! Pavel is not around today, so I took the liberty of updating the patch with your suggestions so we can move forward.
>From ef2218a7b8c5be825555b76eb27b87ec6c7b0f44 Mon Sep 17 00:00:00 2001 From: Pavel Reichl <prei...@redhat.com> Date: Thu, 10 Apr 2014 16:25:45 +0100 Subject: [PATCH] MAN: hint nested groups by simple access provider sssd-ldap hints to use the simple access provider if a nested group membership is needed. Add explicit notice in sssd-simple about support of nested group membership. Resolves: https://fedorahosted.org/sssd/ticket/2308 --- src/man/sssd-ldap.5.xml | 9 ++++++++- src/man/sssd-simple.5.xml | 14 ++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 6426fe4fca5dc9bb9bc84fcbf633404144052d01..93a7e362a99b0994a7f964f928a394c6588a397f 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1824,7 +1824,14 @@ users being denied access. Use access_provider = permit to change this default behavior. Please note that this filter is applied on - the LDAP user entry only. + the LDAP user entry only and thus filtering based + on nested groups may not work (e.g. memberOf + attribute on AD entries points only to direct + parents). If filtering based on nested groups + is required, please see + <citerefentry> + <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. </para> <para> Example: diff --git a/src/man/sssd-simple.5.xml b/src/man/sssd-simple.5.xml index 8f94990da9d94dca2f6b5730aaab6b4468fed487..0d677bd293925d9eed0ea16548fad3caf3bb3bae 100644 --- a/src/man/sssd-simple.5.xml +++ b/src/man/sssd-simple.5.xml @@ -144,6 +144,20 @@ </para> </refsect1> + <refsect1 id='notes'> + <title>NOTES</title> + <para> + The complete group membership hierarchy is resolved + before the access check, thus even nested groups can be + included in the access lists. Please be aware that the + <quote>ldap_group_nesting_level</quote> option may impact the + results and should be set to a sufficient value. + (<citerefentry> + <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>) option. + </para> + </refsect1> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="include/seealso.xml" /> </refentry> -- 1.9.0
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
