47e5dcc Ticket 47829: memberof scope: allow to exclude subtrees

Authored and Committed by tbordaz 9 years ago
    Ticket 47829: memberof scope: allow to exclude subtrees
    
    Bug Description:
    	Memberof Plugins can be restricted to a given subtree memberofentryscope
    	(https://fedorahosted.org/389/ticket/47526).
    	A limitation is that the scope is singled valued so there is no
    	possibility to configure several containers but not all of them.
    	For example with https://fedorahosted.org/freeipa/ticket/3813, we need memberof
    	to scope all the suffix except one special container: cn=provisioning,SUFFIX
    
    Fix Description:
    	A solution to make 'memberofentryscope' multivalued is possible but not really convenient.
    	For example for https://fedorahosted.org/freeipa/ticket/3813, we would need to all the containers
    	(accounts, sudo, hbac, pbac...) except the 'provisioning' container.
    
    	The implemented solution is to allow to exclude a subtree from the memberof scoping.
    	So the configuration could be:
    		memberofentryscope: SUFFIX
    		memberofentryscopeexcludesubtree: cn=provisioning,SUFFIX
    
    https://fedorahosted.org/389/ticket/47829
    
    Reviewed by: Rich Megginson (thanks Rich !!)
    
    Platforms tested: F17/F19/F20
    
    Flag Day: no
    
    Doc impact: no