Ticket 47829: memberof scope: allow to exclude subtrees
Bug Description:
Memberof Plugins can be restricted to a given subtree memberofentryscope
(https://fedorahosted.org/389/ticket/47526).
A limitation is that the scope is singled valued so there is no
possibility to configure several containers but not all of them.
For example with https://fedorahosted.org/freeipa/ticket/3813, we need memberof
to scope all the suffix except one special container: cn=provisioning,SUFFIX
Fix Description:
A solution to make 'memberofentryscope' multivalued is possible but not really convenient.
For example for https://fedorahosted.org/freeipa/ticket/3813, we would need to all the containers
(accounts, sudo, hbac, pbac...) except the 'provisioning' container.
The implemented solution is to allow to exclude a subtree from the memberof scoping.
So the configuration could be:
memberofentryscope: SUFFIX
memberofentryscopeexcludesubtree: cn=provisioning,SUFFIX
https://fedorahosted.org/389/ticket/47829
Reviewed by: Rich Megginson (thanks Rich !!)
Platforms tested: F17/F19/F20
Flag Day: no
Doc impact: no