URL: https://github.com/SSSD/sssd/pull/60 Author: taupehat Title: #60: Document ad_access_filter search for nested groups Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/60/head:pr60 git checkout pr60
From 5397dd8190747a2cb59884467d879662f6bae065 Mon Sep 17 00:00:00 2001 From: Mike Ely <git...@taupehat.com> Date: Wed, 2 Nov 2016 11:26:21 -0700 Subject: [PATCH] ad_access_filter search for nested groups Includes instructions and example for AD nested group access Related to https://fedorahosted.org/sssd/ticket/3218 Signed-off-by: Mike Ely <git...@taupehat.com> --- src/man/sssd-ad.5.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 8a2f4ad..2618f83 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -236,6 +236,19 @@ ad_enabled_domains = sales.example.com, eng.example.com search bases work. </para> <para> + Nested group membership must be searched for using + a special OID <quote>:1.2.840.113556.1.4.1941:</quote> + in addition to the full DOM:domain.example.org: syntax + to ensure the parser does not attempt to interpret the + colon characters associated with the OID. If you do not + use this OID then nested group membership will not be + resolved. See usage example below and refer here + for further information about the OID: + <ulink + url="https://msdn.microsoft.com/en-us/library/cc223367.aspx"> + [MS-ADTS] section LDAP extensions</ulink> + </para> + <para> The most specific match is always used. For example, if the option specified filter for a domain the user is a member of and a @@ -255,6 +268,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) # apply filter on forest called EXAMPLE.COM only: FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) + +# apply filter for a member of a nested group in dom1: +DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com) </programlisting> <para> Default: Not set
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org