From 19e0bdabb9699130cf99d9192f6ab06fa0f6f923 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 9 Dec 2015 13:03:51 +0100
Subject: [PATCH] MAN: Clarify when should TGs be disabled for group nesting
 restriction

Resolves:
    https://fedorahosted.org/sssd/ticket/2796
---
 src/man/sssd-ldap.5.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 123ac3fac3cb1feaef67ba44be65f98cd0ab8043..66b9024bcdc6faced67c4e44f9cde7caa9a5ecc8 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -963,9 +963,11 @@
                         <para>
                           If ldap_group_nesting_level is set to 0 then no
                           nested groups are processed at all. However, when
-                          connected to Active-Directory Server 2008 and later
+                          connected to Active-Directory Server 2008
+                          and later using <quote>id_provider=ad</quote>
                           it is furthermore required to disable usage of
-                          Token-Groups by setting ldap_use_tokengroups to false.
+                          Token-Groups by setting ldap_use_tokengroups
+                          to false in order to restrict group nesting.
                         </para>
                         <para>
                             Default: 2
-- 
2.4.3