From 7254f3b2e725149a953cdb1cf3c7c1812c79293a Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 4 Jul 2016 10:48:54 +0200
Subject: [PATCH] document how a certificate may hold multiple groups

---
 doc/sample.config   | 5 +++--
 src/ocserv-args.def | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/doc/sample.config b/doc/sample.config
index 2a72bc02..af2c4fc8 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -220,8 +220,9 @@ try-mtu-discovery = false
 cert-user-oid = 0.9.2342.19200300.100.1.1
 
 # The object identifier that will be used to read the user group in the 
-# client  certificate. The object identifier should be part of the certificate's
-# DN. Useful OIDs are: 
+# client certificate. The object identifier should be part of the certificate's
+# DN. If the user may belong to multiple groups, then use multiple such fields
+# in the certificate's DN. Useful OIDs are: 
 #  OU (organizational unit) = 2.5.4.11 
 #cert-group-oid = 2.5.4.11
 
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index fa9117c8..e62bfd56 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -324,8 +324,9 @@ try-mtu-discovery = false
 #cert-user-oid = 0.9.2342.19200300.100.1.1
 
 # The object identifier that will be used to read the user group in the 
-# client  certificate. The object identifier should be part of the certificate's
-# DN. Useful OIDs are: 
+# client certificate. The object identifier should be part of the certificate's
+# DN. If the user may belong to multiple groups, then use multiple such fields
+# in the certificate's DN. Useful OIDs are: 
 #  OU (organizational unit) = 2.5.4.11 
 #cert-group-oid = 2.5.4.11