Change some comments on API docs, fix lint error by ignoring it

apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl

@@ -64,7 +64,8 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 	// in the user's list of groups after a successful authentication.
 	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
 	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
-	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
 	// +optional
 	GroupName string `json:"groupName,omitempty"`
 }
@@ -72,7 +73,11 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
 	// E.g. "ou=users,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 
@@ -83,6 +88,10 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will be
 	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
@@ -95,7 +104,11 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
 	// "ou=groups,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 

deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -89,14 +89,20 @@ spec:
                           the ActiveDirectory server in the user's entry. E.g. "cn"
                           for common name. Distinguished names can be used by specifying
                           lower-case "dn". Optional. When not specified, this defaults
-                          to a custom field that looks like "sAMAccountName@domain".
+                          to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of
+                          the group DN.
                         type: string
                     type: object
                   base:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for groups.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some groups for security reasons or to make
+                      searches faster.
                     type: string
                   filter:
                     description: Filter is the ActiveDirectory search filter which
@@ -155,7 +161,10 @@ spec:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for users.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some users or to make searches faster.
                     type: string
                   filter:
                     description: Filter is the search filter which should be applied
@@ -167,6 +176,12 @@ spec:
                       dn (distinguished name) is not an attribute of an entry, so
                       "dn={}" cannot be used. Optional. When not specified, the default
                       will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the
+                      sAMAccountType is for a normal user account, and is not shown
+                      in advanced view only (which would likely mean its a system
+                      created service account with advanced permissions). Also, either
+                      the sAMAccountName, the userPrincipalName, or the mail attribute
+                      matches the input username.
                     type: string
                 type: object
             required:

generated/1.17/README.adoc

@@ -798,7 +798,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the default naming context.
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
 | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
 |===
@@ -817,7 +817,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", where domain is constructed from the domain components of the group DN.
 |===
 
 
@@ -875,8 +875,8 @@ Status of an Active Directory identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the default naming context.
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
-| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes[$$ActiveDirectoryIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
 |===
 

generated/1.17/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -64,7 +64,8 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 	// in the user's list of groups after a successful authentication.
 	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
 	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
-	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
 	// +optional
 	GroupName string `json:"groupName,omitempty"`
 }
@@ -72,7 +73,11 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
 	// E.g. "ou=users,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 
@@ -83,6 +88,10 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will be
 	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
@@ -95,7 +104,11 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
 	// "ou=groups,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 

generated/1.17/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -89,14 +89,20 @@ spec:
                           the ActiveDirectory server in the user's entry. E.g. "cn"
                           for common name. Distinguished names can be used by specifying
                           lower-case "dn". Optional. When not specified, this defaults
-                          to a custom field that looks like "sAMAccountName@domain".
+                          to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of
+                          the group DN.
                         type: string
                     type: object
                   base:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for groups.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some groups for security reasons or to make
+                      searches faster.
                     type: string
                   filter:
                     description: Filter is the ActiveDirectory search filter which
@@ -155,7 +161,10 @@ spec:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for users.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some users or to make searches faster.
                     type: string
                   filter:
                     description: Filter is the search filter which should be applied
@@ -167,6 +176,12 @@ spec:
                       dn (distinguished name) is not an attribute of an entry, so
                       "dn={}" cannot be used. Optional. When not specified, the default
                       will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the
+                      sAMAccountType is for a normal user account, and is not shown
+                      in advanced view only (which would likely mean its a system
+                      created service account with advanced permissions). Also, either
+                      the sAMAccountName, the userPrincipalName, or the mail attribute
+                      matches the input username.
                     type: string
                 type: object
             required:

generated/1.18/README.adoc

@@ -798,7 +798,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the default naming context.
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
 | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
 |===
@@ -817,7 +817,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", where domain is constructed from the domain components of the group DN.
 |===
 
 
@@ -875,8 +875,8 @@ Status of an Active Directory identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the default naming context.
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
-| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes[$$ActiveDirectoryIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
 |===
 

generated/1.18/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -64,7 +64,8 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 	// in the user's list of groups after a successful authentication.
 	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
 	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
-	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
 	// +optional
 	GroupName string `json:"groupName,omitempty"`
 }
@@ -72,7 +73,11 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
 	// E.g. "ou=users,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 
@@ -83,6 +88,10 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will be
 	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
@@ -95,7 +104,11 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
 	// "ou=groups,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 

generated/1.18/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -89,14 +89,20 @@ spec:
                           the ActiveDirectory server in the user's entry. E.g. "cn"
                           for common name. Distinguished names can be used by specifying
                           lower-case "dn". Optional. When not specified, this defaults
-                          to a custom field that looks like "sAMAccountName@domain".
+                          to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of
+                          the group DN.
                         type: string
                     type: object
                   base:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for groups.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some groups for security reasons or to make
+                      searches faster.
                     type: string
                   filter:
                     description: Filter is the ActiveDirectory search filter which
@@ -155,7 +161,10 @@ spec:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for users.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some users or to make searches faster.
                     type: string
                   filter:
                     description: Filter is the search filter which should be applied
@@ -167,6 +176,12 @@ spec:
                       dn (distinguished name) is not an attribute of an entry, so
                       "dn={}" cannot be used. Optional. When not specified, the default
                       will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the
+                      sAMAccountType is for a normal user account, and is not shown
+                      in advanced view only (which would likely mean its a system
+                      created service account with advanced permissions). Also, either
+                      the sAMAccountName, the userPrincipalName, or the mail attribute
+                      matches the input username.
                     type: string
                 type: object
             required:

generated/1.19/README.adoc

@@ -798,7 +798,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the default naming context.
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
 | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
 |===
@@ -817,7 +817,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", where domain is constructed from the domain components of the group DN.
 |===
 
 
@@ -875,8 +875,8 @@ Status of an Active Directory identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the default naming context.
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
-| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes[$$ActiveDirectoryIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
 |===
 

generated/1.19/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -64,7 +64,8 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 	// in the user's list of groups after a successful authentication.
 	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
 	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
-	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
 	// +optional
 	GroupName string `json:"groupName,omitempty"`
 }
@@ -72,7 +73,11 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
 	// E.g. "ou=users,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 
@@ -83,6 +88,10 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will be
 	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
@@ -95,7 +104,11 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
 	// "ou=groups,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 

generated/1.19/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -89,14 +89,20 @@ spec:
                           the ActiveDirectory server in the user's entry. E.g. "cn"
                           for common name. Distinguished names can be used by specifying
                           lower-case "dn". Optional. When not specified, this defaults
-                          to a custom field that looks like "sAMAccountName@domain".
+                          to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of
+                          the group DN.
                         type: string
                     type: object
                   base:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for groups.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some groups for security reasons or to make
+                      searches faster.
                     type: string
                   filter:
                     description: Filter is the ActiveDirectory search filter which
@@ -155,7 +161,10 @@ spec:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for users.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some users or to make searches faster.
                     type: string
                   filter:
                     description: Filter is the search filter which should be applied
@@ -167,6 +176,12 @@ spec:
                       dn (distinguished name) is not an attribute of an entry, so
                       "dn={}" cannot be used. Optional. When not specified, the default
                       will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the
+                      sAMAccountType is for a normal user account, and is not shown
+                      in advanced view only (which would likely mean its a system
+                      created service account with advanced permissions). Also, either
+                      the sAMAccountName, the userPrincipalName, or the mail attribute
+                      matches the input username.
                     type: string
                 type: object
             required:

generated/1.20/README.adoc

@@ -798,7 +798,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the default naming context.
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
 | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
 |===
@@ -817,7 +817,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", where domain is constructed from the domain components of the group DN.
 |===
 
 
@@ -875,8 +875,8 @@ Status of an Active Directory identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the default naming context.
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
-| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes[$$ActiveDirectoryIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
 |===
 

generated/1.20/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -64,7 +64,8 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 	// in the user's list of groups after a successful authentication.
 	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
 	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
-	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
 	// +optional
 	GroupName string `json:"groupName,omitempty"`
 }
@@ -72,7 +73,11 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
 	// E.g. "ou=users,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 
@@ -83,6 +88,10 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will be
 	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
@@ -95,7 +104,11 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
 	// "ou=groups,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 

generated/1.20/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -89,14 +89,20 @@ spec:
                           the ActiveDirectory server in the user's entry. E.g. "cn"
                           for common name. Distinguished names can be used by specifying
                           lower-case "dn". Optional. When not specified, this defaults
-                          to a custom field that looks like "sAMAccountName@domain".
+                          to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of
+                          the group DN.
                         type: string
                     type: object
                   base:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for groups.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some groups for security reasons or to make
+                      searches faster.
                     type: string
                   filter:
                     description: Filter is the ActiveDirectory search filter which
@@ -155,7 +161,10 @@ spec:
                     description: Base is the dn (distinguished name) that should be
                       used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
                       Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for users.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some users or to make searches faster.
                     type: string
                   filter:
                     description: Filter is the search filter which should be applied
@@ -167,6 +176,12 @@ spec:
                       dn (distinguished name) is not an attribute of an entry, so
                       "dn={}" cannot be used. Optional. When not specified, the default
                       will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the
+                      sAMAccountType is for a normal user account, and is not shown
+                      in advanced view only (which would likely mean its a system
+                      created service account with advanced permissions). Also, either
+                      the sAMAccountName, the userPrincipalName, or the mail attribute
+                      matches the input username.
                     type: string
                 type: object
             required:

generated/latest/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -64,7 +64,8 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 	// in the user's list of groups after a successful authentication.
 	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
 	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
-	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
 	// +optional
 	GroupName string `json:"groupName,omitempty"`
 }
@@ -72,7 +73,11 @@ type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
 type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
 	// E.g. "ou=users,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 
@@ -83,6 +88,10 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will be
 	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
@@ -95,7 +104,11 @@ type ActiveDirectoryIdentityProviderUserSearch struct {
 type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
 	// "ou=groups,dc=example,dc=com".
-	// Optional, when not specified it will be based on the result of a query for the default naming context.
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
 	// +optional
 	Base string `json:"base,omitempty"`
 

test/integration/e2e_test.go

@@ -47,7 +47,7 @@ import (
 )
 
 // TestE2EFullIntegration tests a full integration scenario that combines the supervisor, concierge, and CLI.
-func TestE2EFullIntegration(t *testing.T) {
+func TestE2EFullIntegration(t *testing.T) { // nolint:gocyclo
 	env := testlib.IntegrationEnv(t)
 
 	ctx, cancelFunc := context.WithTimeout(context.Background(), 15*time.Minute)