From cec3c2133af1bf69577874366a6699e59f27c2da Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Thu, 19 Aug 2021 16:27:43 -0700 Subject: [PATCH] Update with new default values --- .../howto/configure-supervisor-with-activedirectory.md | 2 +- .../docs/reference/active-directory-configuration.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/site/content/docs/howto/configure-supervisor-with-activedirectory.md b/site/content/docs/howto/configure-supervisor-with-activedirectory.md index d86383e7..af852902 100644 --- a/site/content/docs/howto/configure-supervisor-with-activedirectory.md +++ b/site/content/docs/howto/configure-supervisor-with-activedirectory.md @@ -117,7 +117,7 @@ spec: # Specifies the name of the attribute in the LDAP entry whose # value shall be used to uniquely identify the user within this # LDAP provider after a successful authentication. - uid: "objectSid" + uid: "objectGUID" # Specify how to search for the group membership of an end-user during login. groupSearch: diff --git a/site/content/docs/reference/active-directory-configuration.md b/site/content/docs/reference/active-directory-configuration.md index cd96f4f7..c7726364 100644 --- a/site/content/docs/reference/active-directory-configuration.md +++ b/site/content/docs/reference/active-directory-configuration.md @@ -20,7 +20,7 @@ menu: ### `spec.userSearch.attributes.username` -*Default Behavior*: The `samAccountName` attribute will become the user's Kubernetes username. +*Default Behavior*: The `userPrincipalName` attribute will become the user's Kubernetes username. ### `spec.userSearch.attributes.uid` *Default Behavior*: The `objectGUID` attribute will be used to uniquely identify users. @@ -28,14 +28,14 @@ menu: ### `spec.userSearch.filter` *Default Behavior*: ``` -"(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={})(mail={}))(sAMAccountType=805306368))" +"(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={})(mail={})(userPrincipalName={}))(sAMAccountType=805306368))" ``` Requires the following of the Active Directory entry of the user specified: * is a person. * is not a computer. * is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). -* either the `sAMAccountName` or the `mail` attribute matches the input username. +* either the `sAMAccountName`, the `userPrincipalName`, or the `mail` attribute matches the input username. * the `sAMAccountType` is for a normal user account. ### `spec.groupSearch.base` @@ -45,7 +45,7 @@ Requires the following of the Active Directory entry of the user specified: *Implications*: Searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. ### `spec.groupSearch.attributes.groupName` -*Default Behavior*: The `sAMAccountName` attributes of the groups will become their groups in Kubernetes. +*Default Behavior*: The attribute that will become the user's groups in Kubernetes will look like `sAMAccountName@domain` (where domain is constructed from the domain components of the group). ### `spec.groupSearch.filter`