Add ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter

Add the field to the tmpl file and run codegen.
Also update the count of the fields of our APIs in an integration test.
This commit is contained in:
Ryan Richard 2023-05-31 11:09:08 -07:00
parent 552eceabdb
commit 0a1f966886
37 changed files with 459 additions and 112 deletions

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1058,7 +1058,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1058,7 +1058,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1058,7 +1058,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|=== |===
| Field | Description | Field | Description
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -107,10 +107,11 @@ spec:
description: Filter is the ActiveDirectory search filter which description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the dn (distinguished name) of the be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. E.g. "member={}" user entry found as a result of the user search. Which attribute's
or "&(objectClass=groupOfNames)(member={})". For more information value is used to replace the placeholder(s) depends on the value
about ActiveDirectory filters, see https://ldap.com/ldap-filters. of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified, an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -142,6 +143,20 @@ spec:
carefully read all release notes before upgrading to ensure carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed." that the meaning of this field has not changed."
type: boolean type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object type: object
host: host:
description: 'Host is the hostname of this Active Directory identity description: 'Host is the hostname of this Active Directory identity

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package v1alpha1 package v1alpha1
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or // value of an attribute of the user entry found as a result of the user search. Which attribute's
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// https://ldap.com/ldap-filters. // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as // Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional // +optional
Filter string `json:"filter,omitempty"` Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search. // the result of the group search.
// +optional // +optional

View File

@ -441,7 +441,7 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr
// over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all // over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all
// Pinniped API resources. Without this, the test could accidentally skip parts of the tree if the // Pinniped API resources. Without this, the test could accidentally skip parts of the tree if the
// format has changed. // format has changed.
require.Equal(t, 226, foundFieldNames, require.Equal(t, 227, foundFieldNames,
"Expected to find all known fields of all Pinniped API resources. "+ "Expected to find all known fields of all Pinniped API resources. "+
"You may will need to update this expectation if you added new fields to the API types.", "You may will need to update this expectation if you added new fields to the API types.",
) )