honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

document the user_group_attribute setting for LDAP realms 

Closes elastic/elasticsearch#284

Original commit: elastic/x-pack-elasticsearch@d90aecbe3b
This commit is contained in:
jaymode 2015-09-18 08:13:29 -04:00
parent 84ffc956a8
commit 7380e45abb
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
shield/docs/public/reference.asciidoc
View File

@ -247,6 +247,7 @@ shield.authc.realms:
| `bind_dn` | no | Empty | The DN of the user that will be used to bind to the LDAP and perform searches. If this is not specified, an anonymous bind will be attempted. | `bind_dn` | no | Empty | The DN of the user that will be used to bind to the LDAP and perform searches. If this is not specified, an anonymous bind will be attempted.
| `bind_password` | no | Empty | The password for the user that will be used to bind to the LDAP. | `bind_password` | no | Empty | The password for the user that will be used to bind to the LDAP.
| `user_dn_templates` | yes * | - | The DN template that replaces the user name with the string `{0}`. This element is multivalued, allowing for multiple user contexts. | `user_dn_templates` | yes * | - | The DN template that replaces the user name with the string `{0}`. This element is multivalued, allowing for multiple user contexts.
| `user_group_attribute` | no | `memberOf` | Specifies the attribute to examine on the user for group membership. The default is `memberOf`. This setting will be ignored if any `group_search` settings are specified.
| `user_search.base_dn` | yes * | - | Specifies a container DN to search for users. | `user_search.base_dn` | yes * | - | Specifies a container DN to search for users.
| `user_search.scope` | no | `sub_tree` | The scope of the user search. Valid values are `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is the user object, and that it is the only user considered. | `user_search.scope` | no | `sub_tree` | The scope of the user search. Valid values are `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is the user object, and that it is the only user considered.
| `user_search.attribute` | no | `uid` | The attribute to match with the username presented to Shield. | `user_search.attribute` | no | `uid` | The attribute to match with the username presented to Shield.
@ -255,7 +256,7 @@ shield.authc.realms:
| `user_search.pool.health_check.enabled` | no | `true` | Flag to enable or disable a health check on LDAP connections in the connection pool. Connections will be checked in the background at the specified interval. | `user_search.pool.health_check.enabled` | no | `true` | Flag to enable or disable a health check on LDAP connections in the connection pool. Connections will be checked in the background at the specified interval.
| `user_search.pool.health_check.dn` | no | Value of `bind_dn` | The distinguished name to be retrieved as part of the health check. If `bind_dn` is not specified, a value must be specified. | `user_search.pool.health_check.dn` | no | Value of `bind_dn` | The distinguished name to be retrieved as part of the health check. If `bind_dn` is not specified, a value must be specified.
| `user_search.pool.health_check.interval` | no | `60s` | The interval to perform background checks of connections in the pool. | `user_search.pool.health_check.interval` | no | `60s` | The interval to perform background checks of connections in the pool.
| `group_search.base_dn` | yes | - | The container DN to search for groups in which the user has membership. When this element is absent, Shield searches for a `memberOf` attribute set on the user in order to determine group membership. | `group_search.base_dn` | no | - | The container DN to search for groups in which the user has membership. When this element is absent, Shield searches for the attribute specified by `user_group_attribute` set on the user in order to determine group membership.
| `group_search.scope` | no | `sub_tree` | Specifies whether the group search should be `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is a group object, and that it is the only group considered. | `group_search.scope` | no | `sub_tree` | Specifies whether the group search should be `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is a group object, and that it is the only group considered.
| `group_search.filter` | no | See description | When not set, the realm will search for `group`, `groupOfNames`, or `groupOfUniqueNames`, with the attributes `member` or `memberOf`. Any instance of `{0}` in the filter will be replaced by the user attribute defined in `group_search.user_attribute` | `group_search.filter` | no | See description | When not set, the realm will search for `group`, `groupOfNames`, or `groupOfUniqueNames`, with the attributes `member` or `memberOf`. Any instance of `{0}` in the filter will be replaced by the user attribute defined in `group_search.user_attribute`
| `group_search.user_attribute` | no | Empty | Specifies the user attribute that will be fetched and provided as a parameter to the filter. If not set, the user DN is passed into the filter. | `group_search.user_attribute` | no | Empty | Specifies the user attribute that will be fetched and provided as a parameter to the filter. If not set, the user DN is passed into the filter.

8
shield/docs/public/setting-up-authentication/configuring-ldap-realm.asciidoc
View File

@ -120,10 +120,14 @@ shield:
| `url` | yes | Specifies an LDAP URL of the form of | `url` | yes | Specifies an LDAP URL of the form of
`ldap[s]://<server>:<port>`. Shield attempts to `ldap[s]://<server>:<port>`. Shield attempts to
authenticate against this URL. authenticate against this URL.
| `user_group_attribute` | no | Specifies the attribute to examine on the user for group
membership. The default is `memberOf`. This setting will
be ignored if any `group_search` settings are specified.
| `group_search.base_dn` | no | Specifies a container DN to search for groups in which | `group_search.base_dn` | no | Specifies a container DN to search for groups in which
the user has membership. When this element is absent, the user has membership. When this element is absent,
Shield searches for a `memberOf` attribute set on the Shield searches for the attribute specified by
user to determine group membership. `user_group_attribute` set on the user to determine
group membership.
| `group_search.scope` | no | Specifies whether the group search should be | `group_search.scope` | no | Specifies whether the group search should be
`sub_tree`, `one_level` or `base`. `one_level` only `sub_tree`, `one_level` or `base`. `one_level` only
searches objects directly contained within the searches objects directly contained within the