Merge "Update SSH User Authentication using WAD to include usage of "ldap_access_filter" parameter"

doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst

@@ -97,13 +97,13 @@ Commands to add mandatory parameters for a remote ldap domain:
     # <service_name> is “identity” for all domains.
     # <section_name> identifies a domain as either “ldap-domain1”, “ldap-domain2” or “ldap-domain3”.
 
-    E.g.:
+    Example:
 
     system service-parameter-add identity ldap-domain1 domain_name=ad.wad-server.com
 
     system service-parameter-add identity ldap-domain1 ldap_uri=ldaps://ad.wad-server.com
 
-    system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=WRCP_Admin,CN=Users,DC=wad-server,DC=com
+    system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-server,DC=com
 
     system service-parameter-add identity ldap-domain1 ldap_search_base=CN=Users,DC=wad-server,DC=com
 
@@ -111,6 +111,22 @@ Commands to add mandatory parameters for a remote ldap domain:
 
     system service-parameter-add identity ldap-domain1 ldap_default_authtok =Passw0rd*
 
+.. note::
+
+    The ``ldap_access_filter`` service parameter can be configured to allow
+    access to the Linux host. In the following example, the access is
+    restricted to members of the group ``allowedusers``. Users that are not
+    part of ``allowedusers`` will get the message ``Authentication failed``.
+    Here, ``allowedusers`` is an example of a |WAD| group.
+
+    .. code-block:: none
+
+        system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-1,DC=cumulus,DC=wrs,DC=com
+
+    The ``allowedusers`` group is a |WAD| group where the ``gidNumber``
+    |LDAP| attribute must be set to a unique group number among Linux groups so
+    that it is mapped on the Linux platform as a Linux |LDAP| group with a
+    unique ``gid`` value.
 
 Optional Parameters
 -------------------