-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon 02 Jun 2014 09:13:32 AM EDT, Jakub Hrozek wrote: > On Mon, Jun 02, 2014 at 08:22:14AM -0400, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 06/01/2014 04:09 PM, Jakub Hrozek wrote: >>> On Fri, May 30, 2014 at 06:04:01PM +0200, Pavel Reichl wrote: >>>> OK, please see updated patch. PR >>> >>> Thank you, from content point of view, this looks correct to me. >>> >>> Can you please ping some native English speaker before I push the >>> patch? There are two parts below that I'm not sure about, but as I >>> said, it's not about content, just ironing out the language. >>> >>> [snip] >>> >>>> @@ -1776,7 +1776,14 @@ users being denied access. Use >>>> access_provider = permit to change this default behavior. Please >>>> note that this filter is applied on - >>>> the LDAP user entry only. + the LDAP >>>> user entry only and thus filtering based + >>>> on nested groups may not work (e.g. memberOf + >>>> attribute on AD entries points only on direct >> >> "points only *to* direct parents" >> >>>> + parents). If nested group based >>>> filtering is + desired please see >>> >> >> "If filtering based on nested groups is required, please see" >> >> >>> Maybe required instead of desired? >>> >>>> + <citerefentry> + >>>> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> >>>> >>>> >> + </citerefentry>. >>>> </para> <para> Example: diff --git a/src/man/sssd-simple.5.xml >>>> b/src/man/sssd-simple.5.xml index >>>> 8f94990da9d94dca2f6b5730aaab6b4468fed487..5a0af337e3a45175aaa7a1a36fae5c1da2ead0c4 >>>> 100644 --- a/src/man/sssd-simple.5.xml +++ >>>> b/src/man/sssd-simple.5.xml @@ -144,6 +144,18 @@ </para> >>>> </refsect1> >>>> >>>> + <refsect1 id='notes'> + <title>NOTES</title> + >>>> <para> + The complete group memberships are resolved >>>> before the access check, >>> >>> I'm not sure if "group memberships are" should read "group >>> membership is", iow if it's better to use singular or plural >>> here.. >>> >> >> "The complete group membership hierarchy is resolved before the access >> check, thus even nested groups..." >> >> >>>> + so even nested groups can be included in the access >>>> lists. Please be + aware of ldap_group_nesting_level >> >> >> "Please be aware that the 'ldap_group_nesting_level' option may impact >> the results and should be set to a sufficient value." > > Thanks for the review! > > Pavel is not around today, so I took the liberty of updating the patch > with your suggestions so we can move forward. >
Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOMnScACgkQeiVVYja6o6NUJwCfVaEXxh20MrucQaSHO8fnTgQY 8noAn0zCdoCxsjeAkLVCtQYieEmEXQKI =FOz9 -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
