From 02011187307ce97d1f41810288b617682a1f311a Mon Sep 17 00:00:00 2001
From: Dan Lavu <dlavu@redhat.com>
Date: Nov 19 2014 22:39:43 +0000
Subject: MAN: page edit for ldap_use_tokengroups


Resolves:
https://fedorahosted.org/sssd/ticket/2448

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

---

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index d7a2a4a..5b36f69 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -2482,7 +2482,18 @@ ldap_access_filter = (employeeType=admin)
                     <term>ldap_group_search_base (string)</term>
                     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_search_bases.xml" />
                 </varlistentry>
-
+            </variablelist>
+            <variablelist>
+                <note>
+                    <para>
+                        If the option <quote>ldap_use_tokengroups</quote> is
+                        enabled. The searches against Active Directory will
+                        not be restricted and return all groups memberships,
+                        even with no gid mapping. It is recommended to disable
+                        this feature, if group names are not being displayed
+                        correctly.
+                    </para>
+                </note>
                 <varlistentry condition="with_sudo">
                     <term>ldap_sudo_search_base (string)</term>
                     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_search_bases.xml" />