From 7186923d877605f632fa17053a674f8266fd08bb Mon Sep 17 00:00:00 2001 From: Mike Ely Date: Wed, 2 Nov 2016 11:26:21 -0700 Subject: [PATCH 19/39] ad_access_filter search for nested groups Includes instructions and example for AD nested group access Related to https://fedorahosted.org/sssd/ticket/3218 Signed-off-by: Mike Ely Reviewed-by: Sumit Bose (cherry picked from commit cf5357ae83cc9fe2240038b8bdccec2cb98991fc) (cherry picked from commit e1c2aead482cd4bf83a7fe5e68630a981389e82b) --- src/man/sssd-ad.5.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 8a2f4ade9..2618f8324 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -236,6 +236,19 @@ ad_enabled_domains = sales.example.com, eng.example.com search bases work. + Nested group membership must be searched for using + a special OID :1.2.840.113556.1.4.1941: + in addition to the full DOM:domain.example.org: syntax + to ensure the parser does not attempt to interpret the + colon characters associated with the OID. If you do not + use this OID then nested group membership will not be + resolved. See usage example below and refer here + for further information about the OID: + + [MS-ADTS] section LDAP extensions + + The most specific match is always used. For example, if the option specified filter for a domain the user is a member of and a @@ -255,6 +268,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) # apply filter on forest called EXAMPLE.COM only: FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) + +# apply filter for a member of a nested group in dom1: +DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com) Default: Not set -- 2.11.0