[ipfire-3.x.git] / sssd / patches / 0019-ad_access_filter-search-for-nested-groups.patch

From 7186923d877605f632fa17053a674f8266fd08bb Mon Sep 17 00:00:00 2001
From: Mike Ely <github@taupehat.com>
Date: Wed, 2 Nov 2016 11:26:21 -0700
Subject: [PATCH 19/39] ad_access_filter search for nested groups

Includes instructions and example for AD nested group access

Related to https://fedorahosted.org/sssd/ticket/3218

Signed-off-by: Mike Ely <github@taupehat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit cf5357ae83cc9fe2240038b8bdccec2cb98991fc)
(cherry picked from commit e1c2aead482cd4bf83a7fe5e68630a981389e82b)
---
 src/man/sssd-ad.5.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 8a2f4ade9..2618f8324 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -236,6 +236,19 @@ ad_enabled_domains = sales.example.com, eng.example.com
                             search bases work.
                         </para>
                         <para>
+                            Nested group membership must be searched for using
+                            a special OID <quote>:1.2.840.113556.1.4.1941:</quote>
+                            in addition to the full DOM:domain.example.org: syntax
+                            to ensure the parser does not attempt to interpret the
+                            colon characters associated with the OID. If you do not
+                            use this OID then nested group membership will not be
+                            resolved. See usage example below and refer here
+                            for further information about the OID:
+                            <ulink
+                            url="https://msdn.microsoft.com/en-us/library/cc223367.aspx">
+                            [MS-ADTS] section LDAP extensions</ulink>
+                        </para>
+                        <para>
                             The most specific match is always used. For
                             example, if the option specified filter
                             for a domain the user is a member of and a
@@ -255,6 +268,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
 
 # apply filter on forest called EXAMPLE.COM only:
 FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
+
+# apply filter for a member of a nested group in dom1:
+DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
                         </programlisting>
                         <para>
                             Default: Not set
-- 
2.11.0
Commit	Line	Data
92ae11e3 SS	1	From 7186923d877605f632fa17053a674f8266fd08bb Mon Sep 17 00:00:00 2001
	2	From: Mike Ely <github@taupehat.com>
	3	Date: Wed, 2 Nov 2016 11:26:21 -0700
	4	Subject: [PATCH 19/39] ad_access_filter search for nested groups
	5
	6	Includes instructions and example for AD nested group access
	7
	8	Related to https://fedorahosted.org/sssd/ticket/3218
	9
	10	Signed-off-by: Mike Ely <github@taupehat.com>
	11
	12	Reviewed-by: Sumit Bose <sbose@redhat.com>
	13	(cherry picked from commit cf5357ae83cc9fe2240038b8bdccec2cb98991fc)
	14	(cherry picked from commit e1c2aead482cd4bf83a7fe5e68630a981389e82b)
	15	---
	16	src/man/sssd-ad.5.xml \| 16 ++++++++++++++++
	17	1 file changed, 16 insertions(+)
	18
	19	diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
	20	index 8a2f4ade9..2618f8324 100644
	21	--- a/src/man/sssd-ad.5.xml
	22	+++ b/src/man/sssd-ad.5.xml
	23	@@ -236,6 +236,19 @@ ad_enabled_domains = sales.example.com, eng.example.com
	24	search bases work.
	25	</para>
	26	<para>
	27	+ Nested group membership must be searched for using
	28	+ a special OID <quote>:1.2.840.113556.1.4.1941:</quote>
	29	+ in addition to the full DOM:domain.example.org: syntax
	30	+ to ensure the parser does not attempt to interpret the
	31	+ colon characters associated with the OID. If you do not
	32	+ use this OID then nested group membership will not be
	33	+ resolved. See usage example below and refer here
	34	+ for further information about the OID:
	35	+ <ulink
	36	+ url="https://msdn.microsoft.com/en-us/library/cc223367.aspx">
	37	+ [MS-ADTS] section LDAP extensions</ulink>
	38	+ </para>
	39	+ <para>
	40	The most specific match is always used. For
	41	example, if the option specified filter
	42	for a domain the user is a member of and a
	43	@@ -255,6 +268,9 @@ DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
	44
	45	# apply filter on forest called EXAMPLE.COM only:
	46	FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
	47	+
	48	+# apply filter for a member of a nested group in dom1:
	49	+DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
	50	</programlisting>
	51	<para>
	52	Default: Not set
	53	--
	54	2.11.0
	55