On Wed, Feb 26, 2014 at 05:30:55PM +0100, Jakub Hrozek wrote:
> On Wed, Feb 26, 2014 at 05:22:51PM +0100, Jakub Hrozek wrote:
> > On Wed, Feb 26, 2014 at 11:14:33AM -0500, Stephen Gallagher wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On 02/26/2014 10:08 AM, Jakub Hrozek wrote:
> > > > On Mon, Feb 24, 2014 at 07:47:08PM +0100, Jakub Hrozek wrote:
> > > >> The attached patch addresses:
> > > >>
https://fedorahosted.org/sssd/ticket/2235
> > > >>
> > > >> The memberof example was misleading and was making aministrators
> > > >> think that the ldap_access_filter can resolve nested group
> > > >> memberships.
> > > >>
> > > >> The alternative I was considering was changing the example to
use
> > > >> a different attribute altogether, but I was struggling to come
up
> > > >> with an example that wouldn't be too artificial (like
> > > >> ldap_access_filter=/bin/bash).
> > > >
> > > > Stephen's review seems to be stuck in mailman queue, so I'm
sending
> > > > a patch that contains his suggestion as a reply to myself.
> > > >
> > > > The employeeType attribute Stephen suggested is a good choice, I
> > > > think.
> > > >
> > >
> > > If we're changing the cited example, I'm not sure we need to call
out
> > > the memberOf example anymore.
> >
> > Hmm, initially I wanted to keep it in, because memberOf is what I see
> > used mostly in the field but you're right that when I don't think
about
> > the context of the change and just read the man page text, it is
> > confusing to start talking about memberOf.
> >
> > Another iteration of the patch is attached.
>
> Yet another version that retains a part of the paragraph (.."applied on
> the LDAP entry only..") and changes description of the example.
And now with the correct patch..