Add ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter
Add the field to the tmpl file and run codegen. Also update the count of the fields of our APIs in an integration test.
This commit is contained in:
parent
552eceabdb
commit
0a1f966886
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.17/README.adoc
generated
3
generated/1.17/README.adoc
generated
@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.18/README.adoc
generated
3
generated/1.18/README.adoc
generated
@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.19/README.adoc
generated
3
generated/1.19/README.adoc
generated
@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.20/README.adoc
generated
3
generated/1.20/README.adoc
generated
@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.21/README.adoc
generated
3
generated/1.21/README.adoc
generated
@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.22/README.adoc
generated
3
generated/1.22/README.adoc
generated
@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.23/README.adoc
generated
3
generated/1.23/README.adoc
generated
@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.24/README.adoc
generated
3
generated/1.24/README.adoc
generated
@ -1062,7 +1062,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.25/README.adoc
generated
3
generated/1.25/README.adoc
generated
@ -1058,7 +1058,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.26/README.adoc
generated
3
generated/1.26/README.adoc
generated
@ -1058,7 +1058,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
3
generated/1.27/README.adoc
generated
3
generated/1.27/README.adoc
generated
@ -1058,7 +1058,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
|
||||||
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
|
||||||
|
| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
|
||||||
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider.
|
||||||
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -107,10 +107,11 @@ spec:
|
|||||||
description: Filter is the ActiveDirectory search filter which
|
description: Filter is the ActiveDirectory search filter which
|
||||||
should be applied when searching for groups for a user. The
|
should be applied when searching for groups for a user. The
|
||||||
pattern "{}" must occur in the filter at least once and will
|
pattern "{}" must occur in the filter at least once and will
|
||||||
be dynamically replaced by the dn (distinguished name) of the
|
be dynamically replaced by the value of an attribute of the
|
||||||
user entry found as a result of the user search. E.g. "member={}"
|
user entry found as a result of the user search. Which attribute's
|
||||||
or "&(objectClass=groupOfNames)(member={})". For more information
|
value is used to replace the placeholder(s) depends on the value
|
||||||
about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
Note that the dn (distinguished name) is not an attribute of
|
Note that the dn (distinguished name) is not an attribute of
|
||||||
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
||||||
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -142,6 +143,20 @@ spec:
|
|||||||
carefully read all release notes before upgrading to ensure
|
carefully read all release notes before upgrading to ensure
|
||||||
that the meaning of this field has not changed."
|
that the meaning of this field has not changed."
|
||||||
type: boolean
|
type: boolean
|
||||||
|
userAttributeForFilter:
|
||||||
|
description: UserAttributeForFilter specifies which attribute's
|
||||||
|
value from the user entry found as a result of the user search
|
||||||
|
will be used to replace the "{}" placeholder(s) in the group
|
||||||
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
||||||
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
||||||
|
the Filter would search for groups by replacing the "{}" placeholder
|
||||||
|
in the Filter with the value of the user's "uid" attribute.
|
||||||
|
Optional. When not specified, the default will act as if "dn"
|
||||||
|
were specified. For example, leaving UserAttributeForFilter
|
||||||
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
||||||
|
as the Filter would search for groups by replacing the "{}"
|
||||||
|
placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
host:
|
host:
|
||||||
description: 'Host is the hostname of this Active Directory identity
|
description: 'Host is the hostname of this Active Directory identity
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
|
|
||||||
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
|
||||||
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
|
||||||
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
|
// value of an attribute of the user entry found as a result of the user search. Which attribute's
|
||||||
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
|
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
||||||
// https://ldap.com/ldap-filters.
|
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
||||||
|
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
||||||
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
|
||||||
// Optional. When not specified, the default will act as if the filter were specified as
|
// Optional. When not specified, the default will act as if the filter were specified as
|
||||||
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
||||||
@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Filter string `json:"filter,omitempty"`
|
Filter string `json:"filter,omitempty"`
|
||||||
|
|
||||||
|
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
|
||||||
|
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
|
||||||
|
// For example, specifying "uid" as the UserAttributeForFilter while specifying
|
||||||
|
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
|
||||||
|
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
|
||||||
|
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
|
||||||
|
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
|
||||||
|
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
|
||||||
|
// +optional
|
||||||
|
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
|
||||||
|
|
||||||
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
|
||||||
// the result of the group search.
|
// the result of the group search.
|
||||||
// +optional
|
// +optional
|
||||||
|
@ -441,7 +441,7 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr
|
|||||||
// over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all
|
// over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all
|
||||||
// Pinniped API resources. Without this, the test could accidentally skip parts of the tree if the
|
// Pinniped API resources. Without this, the test could accidentally skip parts of the tree if the
|
||||||
// format has changed.
|
// format has changed.
|
||||||
require.Equal(t, 226, foundFieldNames,
|
require.Equal(t, 227, foundFieldNames,
|
||||||
"Expected to find all known fields of all Pinniped API resources. "+
|
"Expected to find all known fields of all Pinniped API resources. "+
|
||||||
"You may will need to update this expectation if you added new fields to the API types.",
|
"You may will need to update this expectation if you added new fields to the API types.",
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user