From 932e1d57139831db93038d2e63e2f250ef2d8729 Mon Sep 17 00:00:00 2001 From: Thomas Kriechbaumer Date: Sun, 5 May 2019 17:40:40 +0200 Subject: [PATCH] docs: fix rgw ldap username token Signed-off-by: Thomas Kriechbaumer (cherry picked from commit 009f404983558ac084aa6772954ac918db19d890) --- doc/radosgw/ldap-auth.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/radosgw/ldap-auth.rst b/doc/radosgw/ldap-auth.rst index be854c1e51976..9ba989474a738 100644 --- a/doc/radosgw/ldap-auth.rst +++ b/doc/radosgw/ldap-auth.rst @@ -64,7 +64,8 @@ authentication: more specific Organizational Unit (OU). - ``rgw_ldap_dnattr``: The attribute being used in the constructed search filter to match a username. Depending on your Directory Information Tree - (DIT) this would probably be ``uid`` or ``cn``. + (DIT) this would probably be ``uid`` or ``cn``. The generated filter string + will be, e.g., ``cn=some_username``. - ``rgw_ldap_searchfilter``: If not specified, the Ceph Object Gateway automatically constructs the search filter with the ``rgw_ldap_dnattr`` setting. Use this parameter to narrow the list of allowed users in very @@ -102,14 +103,14 @@ password. Specifying a complete filter ---------------------------- -A complete filter must contain a ``USERNAME`` token which will be substituted +A complete filter must contain a ``@USERNAME@`` token which will be substituted with the user name during the authentication attempt. The ``rgw_ldap_dnattr`` parameter is not used anymore in this case. For example, to limit valid users to a specific group, use the following filter: :: - "(&(uid=USERNAME)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))" + "(&(uid=@USERNAME@)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))" .. note:: Using the ``memberOf`` attribute in LDAP searches requires server side support from you specific LDAP server implementation. -- 2.47.3