diff --git a/shield/docs/public/reference.asciidoc b/shield/docs/public/reference.asciidoc index cb38f664058..c300e8a0a92 100644 --- a/shield/docs/public/reference.asciidoc +++ b/shield/docs/public/reference.asciidoc @@ -247,6 +247,7 @@ shield.authc.realms: | `bind_dn` | no | Empty | The DN of the user that will be used to bind to the LDAP and perform searches. If this is not specified, an anonymous bind will be attempted. | `bind_password` | no | Empty | The password for the user that will be used to bind to the LDAP. | `user_dn_templates` | yes * | - | The DN template that replaces the user name with the string `{0}`. This element is multivalued, allowing for multiple user contexts. +| `user_group_attribute` | no | `memberOf` | Specifies the attribute to examine on the user for group membership. The default is `memberOf`. This setting will be ignored if any `group_search` settings are specified. | `user_search.base_dn` | yes * | - | Specifies a container DN to search for users. | `user_search.scope` | no | `sub_tree` | The scope of the user search. Valid values are `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is the user object, and that it is the only user considered. | `user_search.attribute` | no | `uid` | The attribute to match with the username presented to Shield. @@ -255,7 +256,7 @@ shield.authc.realms: | `user_search.pool.health_check.enabled` | no | `true` | Flag to enable or disable a health check on LDAP connections in the connection pool. Connections will be checked in the background at the specified interval. | `user_search.pool.health_check.dn` | no | Value of `bind_dn` | The distinguished name to be retrieved as part of the health check. If `bind_dn` is not specified, a value must be specified. | `user_search.pool.health_check.interval` | no | `60s` | The interval to perform background checks of connections in the pool. -| `group_search.base_dn` | yes | - | The container DN to search for groups in which the user has membership. When this element is absent, Shield searches for a `memberOf` attribute set on the user in order to determine group membership. +| `group_search.base_dn` | no | - | The container DN to search for groups in which the user has membership. When this element is absent, Shield searches for the attribute specified by `user_group_attribute` set on the user in order to determine group membership. | `group_search.scope` | no | `sub_tree` | Specifies whether the group search should be `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is a group object, and that it is the only group considered. | `group_search.filter` | no | See description | When not set, the realm will search for `group`, `groupOfNames`, or `groupOfUniqueNames`, with the attributes `member` or `memberOf`. Any instance of `{0}` in the filter will be replaced by the user attribute defined in `group_search.user_attribute` | `group_search.user_attribute` | no | Empty | Specifies the user attribute that will be fetched and provided as a parameter to the filter. If not set, the user DN is passed into the filter. diff --git a/shield/docs/public/setting-up-authentication/configuring-ldap-realm.asciidoc b/shield/docs/public/setting-up-authentication/configuring-ldap-realm.asciidoc index 95db4b74c5e..4e813bd4deb 100644 --- a/shield/docs/public/setting-up-authentication/configuring-ldap-realm.asciidoc +++ b/shield/docs/public/setting-up-authentication/configuring-ldap-realm.asciidoc @@ -120,10 +120,14 @@ shield: | `url` | yes | Specifies an LDAP URL of the form of `ldap[s]://:`. Shield attempts to authenticate against this URL. +| `user_group_attribute` | no | Specifies the attribute to examine on the user for group + membership. The default is `memberOf`. This setting will + be ignored if any `group_search` settings are specified. | `group_search.base_dn` | no | Specifies a container DN to search for groups in which the user has membership. When this element is absent, - Shield searches for a `memberOf` attribute set on the - user to determine group membership. + Shield searches for the attribute specified by + `user_group_attribute` set on the user to determine + group membership. | `group_search.scope` | no | Specifies whether the group search should be `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the