From 9c65b89fd963f1b8433190765e531d5670b18cb3 Mon Sep 17 00:00:00 2001
From: Dominika Borges <dvagnero@redhat.com>
Date: Mon, 20 Jan 2025 16:49:26 +0100
Subject: [PATCH] doc: improve description of ldap_disable_range_retrieval

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/man/sssd-ldap.5.xml | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index d50aa65b2c1..169d0c5719a 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -692,13 +692,17 @@
                             Disable Active Directory range retrieval.
                         </para>
                         <para>
-                            Active Directory limits the number of members to be
+                            Active Directory limits the number of members that can be
                             retrieved in a single lookup using the MaxValRange
-                            policy (which defaults to 1500 members). If a group
-                            contains more members, the reply would include an
-                            AD-specific range extension. This option disables
-                            parsing of the range extension, therefore large
-                            groups will appear as having no members.
+                            policy, which defaults to 1500 members. If a group
+                            contains more than 1500 members, the reply includes
+                            an AD-specific range extension. When enabled,
+                            this option prevents SSSD from parsing the range
+                            extension. As a result large groups will appear as they
+                            have no members.
+                            This option does not enable SSSD to read subsequent
+                            ranges. To retrieve all members of a group, you must
+                            increase the MaxValRange setting in Active Directory.
                         </para>
                         <para>
                             Default: False