On Mon, Feb 24, 2014 at 07:47:08PM +0100, Jakub Hrozek wrote:
The attached patch addresses:
https://fedorahosted.org/sssd/ticket/2235
The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.
The alternative I was considering was changing the example to use a
different attribute altogether, but I was struggling to come up with an
example that wouldn't be too artificial (like
ldap_access_filter=/bin/bash).
Stephen's review seems to be stuck in mailman queue, so I'm sending a
patch that contains his suggestion as a reply to myself.
The employeeType attribute Stephen suggested is a good choice, I think.