From ae4d6ace3726a5179ef2ab6122ac20dd2fba0bb6 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 23 May 2023 16:51:36 -0700 Subject: [PATCH] Add LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter --- .../types_ldapidentityprovider.go.tmpl | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.17/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.18/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.19/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.20/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.21/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.22/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.23/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.24/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.25/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.26/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- generated/1.27/README.adoc | 5 ++-- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- ...or.pinniped.dev_ldapidentityproviders.yaml | 23 +++++++++++++++---- .../v1alpha1/types_ldapidentityprovider.go | 21 +++++++++++++---- 36 files changed, 469 insertions(+), 135 deletions(-) diff --git a/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl b/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl index 09cb843d4..5c76d6af4 100644 --- a/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl +++ b/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index e7e343c17..bf90b3bcf 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1252,8 +1252,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index f0cf42d33..ba453a286 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1252,8 +1252,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.18/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.18/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.18/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.18/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 1f3fd6005..979c79b83 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1252,8 +1252,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.19/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.19/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.19/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.19/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.19/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.19/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index c428a84d6..9da145050 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1252,8 +1252,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.20/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.20/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.20/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.20/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.20/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.20/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.20/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.20/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index f2af6b18c..b14a89b1d 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1252,8 +1252,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.21/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 2a8e4c85f..b3de67b2e 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1252,8 +1252,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.22/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index d1961bda5..3f1604633 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1252,8 +1252,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.23/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 84a9c29e7..b4bb2b68b 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -1252,8 +1252,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.24/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 18d18f0fc..1e81b7ca0 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -1248,8 +1248,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.25/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.26/README.adoc b/generated/1.26/README.adoc index 52e6d6376..a89085ac2 100644 --- a/generated/1.26/README.adoc +++ b/generated/1.26/README.adoc @@ -1248,8 +1248,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.26/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/1.27/README.adoc b/generated/1.27/README.adoc index 84e479fd7..487570a7b 100644 --- a/generated/1.27/README.adoc +++ b/generated/1.27/README.adoc @@ -1248,8 +1248,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire [cols="25a,75a", options="header"] |=== | Field | Description -| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. -| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. +| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". +| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.27/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 211a70a1a..5799cb5c1 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -96,15 +96,16 @@ spec: used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter and Attributes - are ignored. + Also, when not specified, the values of Filter, UserAttributeForFilter, + Attributes, and SkipGroupRefresh are ignored. type: string filter: description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically - replaced by the dn (distinguished name) of the user entry found - as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + replaced by the value of an attribute of the user entry found + as a result of the user search. Which attribute's value is used + to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, @@ -134,6 +135,20 @@ spec: carefully read all release notes before upgrading to ensure that the meaning of this field has not changed." type: boolean + userAttributeForFilter: + description: UserAttributeForFilter specifies which attribute's + value from the user entry found as a result of the user search + will be used to replace the "{}" placeholder(s) in the group + search Filter. For example, specifying "uid" as the UserAttributeForFilter + while specifying "&(objectClass=posixGroup)(memberUid={})" as + the Filter would search for groups by replacing the "{}" placeholder + in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" + were specified. For example, leaving UserAttributeForFilter + unspecified while specifying "&(objectClass=groupOfNames)(member={})" + as the Filter would search for groups by replacing the "{}" + placeholder(s) with the dn (distinguished name) of the user. + type: string type: object host: description: 'Host is the hostname of this LDAP identity provider, diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 09cb843d4..5c76d6af4 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct { // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, - // the values of Filter and Attributes are ignored. + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. // +optional Base string `json:"base,omitempty"` // Filter is the LDAP search filter which should be applied when searching for groups for a user. // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the - // dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or - // "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see - // https://ldap.com/ldap-filters. + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. // Optional. When not specified, the default will act as if the Filter were specified as "member={}". // +optional Filter string `json:"filter,omitempty"` + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + // Attributes specifies how the group's information should be read from each LDAP entry which was found as // the result of the group search. // +optional