From b4207ed070860509736e152b4788f21b6588c9c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Fri, 21 Apr 2017 13:11:39 +0200
Subject: [PATCH 1/2] SUBDOMAINS: Configurable ignore_group_members

Allow ignore_group_members in the subdomain section in sssd.conf.

Resolves:
https://pagure.io/SSSD/sssd/issue/3337
---
 src/db/sysdb_subdomains.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index e2a4f7b..063177d 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -218,6 +218,22 @@ check_subdom_config_file(struct confdb_ctx *confdb,
           sd_conf_path, CONFDB_DOMAIN_FQ,
           subdomain->fqnames ? "TRUE" : "FALSE");
 
+
+    /* ignore_group_members */
+    ret = confdb_get_bool(confdb, sd_conf_path,
+                          CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS,
+                          false, &subdomain->ignore_group_members);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Failed to get %s option for the subdomain: %s\n",
+              CONFDB_DOMAIN_FQ, subdomain->name);
+        goto done;
+    }
+
+    DEBUG(SSSDBG_CONF_SETTINGS, "%s/%s has value %s\n",
+          sd_conf_path, CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS,
+          subdomain->ignore_group_members ? "TRUE" : "FALSE");
+
     ret = EOK;
 done:
     talloc_free(tmp_ctx);

From 5f2d1616421d6f9c32bb07cd530abf2c4e756293 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Fri, 21 Apr 2017 17:44:41 +0200
Subject: [PATCH 2/2] MAN: Add options for subdomains

Add options supported in subdomain_inherit to the subdomain section
of sssd.conf.

Resolves:
https://pagure.io/SSSD/sssd/issue/3337
---
 src/man/sssd.conf.5.xml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c712870..a5cdcba 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2923,7 +2923,12 @@ ldap_user_extra_attrs = phone:telephoneNumber
             <para>ad_server,</para>
             <para>ad_backup_server,</para>
             <para>ad_site,</para>
-            <para>use_fully_qualified_names</para>
+            <para>use_fully_qualified_names,</para>
+            <para>ignore_group_members,</para>
+            <para>ldap_purge_cache_timeout,</para>
+            <para>ldap_use_tokengroups,</para>
+            <para>ldap_user_principal.</para>
+
         <para>
             For more details about these options see their individual description
             in the manual page.