From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 25 Aug 2023 16:52:12 +0000 (+0100)
Subject: Add notes on LDAP group membership xlat to upgrade doc
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf689e4635ca2987621dbb1780fb2c43c9221ffa;p=thirdparty%2Ffreeradius-server.git

Add notes on LDAP group membership xlat to upgrade doc
---

diff --git a/doc/antora/modules/installation/pages/upgrade.adoc b/doc/antora/modules/installation/pages/upgrade.adoc
index 808418407c9..f7cbb5599ce 100644
--- a/doc/antora/modules/installation/pages/upgrade.adoc
+++ b/doc/antora/modules/installation/pages/upgrade.adoc
@@ -824,6 +824,26 @@ The `expiration` module has been replaced with an `unlang` policy.
 The policy is located in `raddb/policy.d/time`.  The `Expiration`
 attribute should continue to work the same as with v3.
 
+=== rlm_ldap
+
+The `ldap` module provides an expansion `%{ldap.memberof:<name>}` instead of
+`LDAP-Group` for dynamically testing group membership.  The old method of
+
+```
+LDAP-Group == "foo"
+```
+
+will no longer work.
+
+The cacheing of group membership into attributes in the `control` list is
+still available, so
+
+```
+&control.LDAP-Group[*] == "foo"
+```
+can also be used to test membership after having called the `ldap` module,
+if `cacheable_name` or `cacheable_dn` are enabled.
+
 === rlm_mschap
 
 The `winbind_*` configuration options are now in a `winbind`