From 6263578b03a52b3ec3a2e33e097554241780fc20 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 14 May 2013 18:00:10 +0200
Subject: Adding option to disable retrieving large AD groups.

This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"

https://fedorahosted.org/sssd/ticket/1823
---
 src/man/sssd-ldap.5.xml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'src/man')

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 79921330..37df5ec1 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1200,6 +1200,27 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_disable_range_retrieval (boolean)</term>
+                    <listitem>
+                        <para>
+                            Disable Active Directory range retrieval.
+                        </para>
+                        <para>
+                            Active Directory limits the number of members to be
+                            retrieved in a single lookup using the MaxValRange
+                            policy (which defaults to 1500 members). If a group
+                            contains more members, the reply would include an
+                            AD-specific range extension. This option disables
+                            parsing of the range extension, therefore large
+                            groups will appear as having no members.
+                        </para>
+                        <para>
+                            Default: False
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>ldap_sasl_minssf (integer)</term>
                     <listitem>
-- 
cgit