47e5dcc Ticket 47829: memberof scope: allow to exclude subtrees

Authored and Committed by tbordaz 8 years ago
    Ticket 47829: memberof scope: allow to exclude subtrees
    Bug Description:
    	Memberof Plugins can be restricted to a given subtree memberofentryscope
    	A limitation is that the scope is singled valued so there is no
    	possibility to configure several containers but not all of them.
    	For example with https://fedorahosted.org/freeipa/ticket/3813, we need memberof
    	to scope all the suffix except one special container: cn=provisioning,SUFFIX
    Fix Description:
    	A solution to make 'memberofentryscope' multivalued is possible but not really convenient.
    	For example for https://fedorahosted.org/freeipa/ticket/3813, we would need to all the containers
    	(accounts, sudo, hbac, pbac...) except the 'provisioning' container.
    	The implemented solution is to allow to exclude a subtree from the memberof scoping.
    	So the configuration could be:
    		memberofentryscope: SUFFIX
    		memberofentryscopeexcludesubtree: cn=provisioning,SUFFIX
    Reviewed by: Rich Megginson (thanks Rich !!)
    Platforms tested: F17/F19/F20
    Flag Day: no
    Doc impact: no