>From 095cfb8212f104805c0fd237dd9102d19f484815 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 24 Feb 2014 19:42:23 +0100
Subject: [PATCH] MAN: Clarify the ldap_access_filter option further

https://fedorahosted.org/sssd/ticket/2235

The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.
---
 src/man/sssd-ldap.5.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 9e572836d79d84615712943382b0348ecc544e61..a5d8a5d4bbea1b3293e2e50bf1986817db6b2498 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1790,6 +1790,19 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
                             in ldap.
                         </para>
                         <para>
+                            Please note that this filter is applied on
+                            the LDAP user entry only. With many directory
+                            servers (notably Active Directory), the
+                            <quote>memberOf</quote> attribute only includes
+                            the direct membership. If the directory uses
+                            nested groups, the simple access provider is
+                            often a better choice. See
+                            the <citerefentry>
+                                <refentrytitle>sssd-simple</refentrytitle>
+                                <manvolnum>5</manvolnum>
+                            </citerefentry> manual page for more information.
+                        </para>
+                        <para>
                             Offline caching for this feature is limited to
                             determining whether the user's last online login
                             was granted access permission. If they were
-- 
1.8.5.3