56 lines
2.5 KiB
Diff
56 lines
2.5 KiB
Diff
|
From 7186923d877605f632fa17053a674f8266fd08bb Mon Sep 17 00:00:00 2001
|
||
|
From: Mike Ely <github@taupehat.com>
|
||
|
Date: Wed, 2 Nov 2016 11:26:21 -0700
|
||
|
Subject: [PATCH 19/39] ad_access_filter search for nested groups
|
||
|
|
||
|
Includes instructions and example for AD nested group access
|
||
|
|
||
|
Related to https://fedorahosted.org/sssd/ticket/3218
|
||
|
|
||
|
Signed-off-by: Mike Ely <github@taupehat.com>
|
||
|
|
||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||
|
(cherry picked from commit cf5357ae83cc9fe2240038b8bdccec2cb98991fc)
|
||
|
(cherry picked from commit e1c2aead482cd4bf83a7fe5e68630a981389e82b)
|
||
|
---
|
||
|
src/man/sssd-ad.5.xml | 16 ++++++++++++++++
|
||
|
1 file changed, 16 insertions(+)
|
||
|
|
||
|
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||
|
index 8a2f4ade9..2618f8324 100644
|
||
|
--- a/src/man/sssd-ad.5.xml
|
||
|
+++ b/src/man/sssd-ad.5.xml
|
||
|
@@ -236,6 +236,19 @@ ad_enabled_domains = sales.example.com, eng.example.com
|
||
|
search bases work.
|
||
|
</para>
|
||
|
<para>
|
||
|
+ Nested group membership must be searched for using
|
||
|
+ a special OID <quote>:1.2.840.113556.1.4.1941:</quote>
|
||
|
+ in addition to the full DOM:domain.example.org: syntax
|
||
|
+ to ensure the parser does not attempt to interpret the
|
||
|
+ colon characters associated with the OID. If you do not
|
||
|
+ use this OID then nested group membership will not be
|
||
|
+ resolved. See usage example below and refer here
|
||
|
+ for further information about the OID:
|
||
|
+ <ulink
|
||
|
+ url="https://msdn.microsoft.com/en-us/library/cc223367.aspx">
|
||
|
+ [MS-ADTS] section LDAP extensions</ulink>
|
||
|
+ </para>
|
||
|
+ <para>
|
||
|
The most specific match is always used. For
|
||
|
example, if the option specified filter
|
||
|
for a domain the user is a member of and a
|
||
|
@@ -255,6 +268,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
|
||
|
|
||
|
# apply filter on forest called EXAMPLE.COM only:
|
||
|
FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
|
||
|
+
|
||
|
+# apply filter for a member of a nested group in dom1:
|
||
|
+DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
|
||
|
</programlisting>
|
||
|
<para>
|
||
|
Default: Not set
|
||
|
--
|
||
|
2.11.0
|
||
|
|