diff --git a/pipelines/main/pipeline.yml b/pipelines/main/pipeline.yml index 57aa93fc9..4f69214e7 100644 --- a/pipelines/main/pipeline.yml +++ b/pipelines/main/pipeline.yml @@ -205,6 +205,7 @@ meta: JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD: ((jumpcloud-ldap-bind-account-password)) JUMPCLOUD_LDAP_USERS_SEARCH_BASE: ((jumpcloud-ldap-users-search-base)) JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE: ((jumpcloud-ldap-groups-search-base)) + JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER: ((jumpcloud-ldap-groups-search-filter)) JUMPCLOUD_LDAP_USER_DN: ((jumpcloud-ldap-user-dn)) JUMPCLOUD_LDAP_USER_CN: ((jumpcloud-ldap-user-cn)) JUMPCLOUD_LDAP_USER_PASSWORD: ((jumpcloud-ldap-user-password)) @@ -216,6 +217,25 @@ meta: JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_CN: ((jumpcloud-ldap-expected-direct-groups-cn)) JUMPCLOUD_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN: ((jumpcloud-ldap-expected-direct-posix-groups-cn)) + okta_ldap_integration_env_vars: &okta_ldap_integration_env_vars + OKTA_LDAP_HOST: ((okta-ldap-host)) + OKTA_LDAP_STARTTLS_ONLY_HOST: ((okta-ldap-start-tls-only-host)) + OKTA_LDAP_BIND_ACCOUNT_USERNAME: ((okta-ldap-bind-account-username)) + OKTA_LDAP_BIND_ACCOUNT_PASSWORD: ((okta-ldap-bind-account-password)) + OKTA_LDAP_USERS_SEARCH_BASE: ((okta-ldap-users-search-base)) + OKTA_LDAP_GROUPS_SEARCH_BASE: ((okta-ldap-groups-search-base)) + OKTA_LDAP_GROUPS_SEARCH_FILTER: ((okta-ldap-groups-search-filter)) + OKTA_LDAP_USER_DN: ((okta-ldap-user-dn)) + OKTA_LDAP_USER_CN: ((okta-ldap-user-cn)) + OKTA_LDAP_USER_PASSWORD: ((okta-ldap-user-password)) + OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME: ((okta-ldap-user-unique-id-attribute-name)) + OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE: ((okta-ldap-user-unique-id-attribute-value)) + OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME: ((okta-ldap-user-email-attribute-name)) + OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE: ((okta-ldap-user-email-attribute-value)) + OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN: ((okta-ldap-expected-direct-groups-dn)) + OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN: ((okta-ldap-expected-direct-groups-cn)) + OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN: ((okta-ldap-expected-direct-posix-groups-cn)) + active_directory_integration_env_vars: &active_directory_integration_env_vars TEST_ACTIVE_DIRECTORY: "yes" AWS_AD_HOST: ((aws-ad-host)) @@ -1824,11 +1844,10 @@ jobs: # We don't need to run these on every version of Kubernetes for Kind in this pipeline, so we choose to run # them on one version to get some coverage. <<: *okta_integration_env_vars - # The following Jumpcloud params will cause the integration tests to use Jumpcloud instead of OpenLDAP. + # The following Okta LDAP params will cause the integration tests to use Okta LDAP instead of OpenLDAP. # We don't need to run these on every version of Kubernetes for Kind in this pipeline, so we choose to run # them on one version to get some coverage. - # TODO: replace this with some other LDAP and open firewall for outgoing LDAP and LDAPs - # <<: *jumpcloud_integration_env_vars + <<: *okta_ldap_integration_env_vars # The following AD params enable the ActiveDirectory integration tests. We don't need to run these on every # version of Kubernetes for Kind in this pipeline, so we choose to run them on one version to get some coverage. # TODO: bring this back with a new AD server @@ -2514,8 +2533,7 @@ jobs: INGRESS_DNS_NAME: gke-acceptance-supervisor-ingress.test.pinniped.broadcom.net <<: *okta_integration_env_vars OKTA_SUPERVISOR_CALLBACK: ((okta-supervisor-callback)) - # TODO: replace this with some other LDAP and open firewall for outgoing LDAP and LDAPs - # <<: *jumpcloud_integration_env_vars + <<: *okta_ldap_integration_env_vars # TODO: bring this back with a new AD server # <<: *active_directory_integration_env_vars <<: *github_integration_env_vars diff --git a/pipelines/pull-requests/pipeline.yml b/pipelines/pull-requests/pipeline.yml index e33eb5196..c4954c972 100644 --- a/pipelines/pull-requests/pipeline.yml +++ b/pipelines/pull-requests/pipeline.yml @@ -137,6 +137,7 @@ meta: JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD: ((jumpcloud-ldap-bind-account-password)) JUMPCLOUD_LDAP_USERS_SEARCH_BASE: ((jumpcloud-ldap-users-search-base)) JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE: ((jumpcloud-ldap-groups-search-base)) + JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER: ((jumpcloud-ldap-groups-search-filter)) JUMPCLOUD_LDAP_USER_DN: ((jumpcloud-ldap-user-dn)) JUMPCLOUD_LDAP_USER_CN: ((jumpcloud-ldap-user-cn)) JUMPCLOUD_LDAP_USER_PASSWORD: ((jumpcloud-ldap-user-password)) @@ -148,6 +149,25 @@ meta: JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_CN: ((jumpcloud-ldap-expected-direct-groups-cn)) JUMPCLOUD_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN: ((jumpcloud-ldap-expected-direct-posix-groups-cn)) + okta_ldap_integration_env_vars: &okta_ldap_integration_env_vars + OKTA_LDAP_HOST: ((okta-ldap-host)) + OKTA_LDAP_STARTTLS_ONLY_HOST: ((okta-ldap-start-tls-only-host)) + OKTA_LDAP_BIND_ACCOUNT_USERNAME: ((okta-ldap-bind-account-username)) + OKTA_LDAP_BIND_ACCOUNT_PASSWORD: ((okta-ldap-bind-account-password)) + OKTA_LDAP_USERS_SEARCH_BASE: ((okta-ldap-users-search-base)) + OKTA_LDAP_GROUPS_SEARCH_BASE: ((okta-ldap-groups-search-base)) + OKTA_LDAP_GROUPS_SEARCH_FILTER: ((okta-ldap-groups-search-filter)) + OKTA_LDAP_USER_DN: ((okta-ldap-user-dn)) + OKTA_LDAP_USER_CN: ((okta-ldap-user-cn)) + OKTA_LDAP_USER_PASSWORD: ((okta-ldap-user-password)) + OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME: ((okta-ldap-user-unique-id-attribute-name)) + OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE: ((okta-ldap-user-unique-id-attribute-value)) + OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME: ((okta-ldap-user-email-attribute-name)) + OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE: ((okta-ldap-user-email-attribute-value)) + OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN: ((okta-ldap-expected-direct-groups-dn)) + OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN: ((okta-ldap-expected-direct-groups-cn)) + OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN: ((okta-ldap-expected-direct-posix-groups-cn)) + active_directory_integration_env_vars: &active_directory_integration_env_vars TEST_ACTIVE_DIRECTORY: "yes" AWS_AD_HOST: ((aws-ad-host)) @@ -1216,11 +1236,10 @@ jobs: # We don't need to run these on every version of Kubernetes for Kind in this pipeline, so we choose to run # them on one version to get some coverage. <<: *okta_integration_env_vars - # The following Jumpcloud params will cause the integration tests to use Jumpcloud instead of OpenLDAP. + # The following Okta LDAP params will cause the integration tests to use Okta LDAP instead of OpenLDAP. # We don't need to run these on every version of Kubernetes for Kind in this pipeline, so we choose to run # them on one version to get some coverage. - # TODO: replace this with some other LDAP and open firewall for outgoing LDAP and LDAPs - # <<: *jumpcloud_integration_env_vars + <<: *okta_ldap_integration_env_vars # The following AD params enable the ActiveDirectory integration tests. We don't need to run these on every # version of Kubernetes for Kind in this pipeline, so we choose to run them on one version to get some coverage. # TODO: bring this back with a new AD server diff --git a/pipelines/shared-helpers/prepare-cluster-for-integration-tests.sh b/pipelines/shared-helpers/prepare-cluster-for-integration-tests.sh index 7f5cf4220..221e05f25 100755 --- a/pipelines/shared-helpers/prepare-cluster-for-integration-tests.sh +++ b/pipelines/shared-helpers/prepare-cluster-for-integration-tests.sh @@ -42,7 +42,7 @@ set -euo pipefail # - $DEPLOY_LOCAL_USER_AUTHENTICATOR, when set to "yes", will deploy and use the # local-user-authenticator instead of using the TMC webhook authenticator. # - $DEPLOY_TEST_TOOLS will deploy the squid proxy, Dex, and OpenLDAP into the cluster. -# If the OKTA_* and JUMPCLOUD_* variables are not present, then Dex and OpenLDAP +# If the OKTA_* and JUMPCLOUD_*/OKTA_LDAP* variables are not present, then Dex and OpenLDAP # will be configured for the integration tests. # - To use Okta instead of Dex, use the variables $OKTA_ISSUER, $OKTA_CLI_CLIENT_ID, # $OKTA_CLI_CALLBACK, $OKTA_ADDITIONAL_SCOPES, $OKTA_USERNAME_CLAIM, $OKTA_GROUPS_CLAIM, @@ -51,19 +51,28 @@ set -euo pipefail # - To use Jumpcloud instead of OpenLDAP, use the variables $JUMPCLOUD_LDAP_HOST, # $JUMPCLOUD_LDAP_STARTTLS_ONLY_HOST, # $JUMPCLOUD_LDAP_BIND_ACCOUNT_USERNAME, $JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD, -# $JUMPCLOUD_LDAP_USERS_SEARCH_BASE, $JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE, +# $JUMPCLOUD_LDAP_USERS_SEARCH_BASE, $JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE, $JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER, # $JUMPCLOUD_LDAP_USER_DN, $JUMPCLOUD_LDAP_USER_CN, $JUMPCLOUD_LDAP_USER_PASSWORD, # $JUMPCLOUD_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME, $JUMPCLOUD_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE, # $JUMPCLOUD_LDAP_USER_EMAIL_ATTRIBUTE_NAME, $JUMPCLOUD_LDAP_USER_EMAIL_ATTRIBUTE_VALUE, # $JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_DN, $JUMPCLOUD_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN, # and $JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_CN to configure the LDAP tests. +# - To use Okta LDAP instead of OpenLDAP, use the variables $OKTA_LDAP_HOST, +# $OKTA_LDAP_STARTTLS_ONLY_HOST, +# $OKTA_LDAP_BIND_ACCOUNT_USERNAME, $OKTA_LDAP_BIND_ACCOUNT_PASSWORD, +# $OKTA_LDAP_USERS_SEARCH_BASE, $OKTA_LDAP_GROUPS_SEARCH_BASE, $OKTA_LDAP_GROUPS_SEARCH_FILTER, +# $OKTA_LDAP_USER_DN, $OKTA_LDAP_USER_CN, $OKTA_LDAP_USER_PASSWORD, +# $OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME, $OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE, +# $OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME, $OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE, +# $OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN, $OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN, +# and $OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN to configure the LDAP tests. # - $FIREWALL_IDPS, when set to "yes" will add NetworkPolicies to effectively firewall the Concierge # and Supervisor pods such that they need to use the Squid proxy server to reach several of the IDPs. # Note that NetworkPolicy is not supported on all flavors of Kube, but can be enabled on GKE by using # `--enable-network-policy` when creating the GKE cluster, abd is supported in recent versions of Kind. # - $TEST_ACTIVE_DIRECTORY determines whether to test against AWS Managed Active # Directory. Note that there's no "local" equivalent-- for OIDC we use Dex's internal -# user store or Okta, for LDAP we deploy OpenLDAP or use Jumpcloud, +# user store or Okta, for LDAP we deploy OpenLDAP or use Jumpcloud/Okta LDAP, # but for AD there is only the hosted version. # When set, the tests are configured with the variables # $AWS_AD_HOST, $AWS_AD_DOMAIN, $AWS_AD_BIND_ACCOUNT_USERNAME, $AWS_AD_BIND_ACCOUNT_PASSWORD, @@ -623,6 +632,7 @@ if [[ "${DEPLOY_TEST_TOOLS:-no}" == "yes" ]]; then pinniped_test_ldap_bind_account_password=password pinniped_test_ldap_users_search_base="ou=users,dc=pinniped,dc=dev" pinniped_test_ldap_groups_search_base="ou=groups,dc=pinniped,dc=dev" + pinniped_test_ldap_groups_search_filter="" pinniped_test_ldap_user_dn="cn=pinny,ou=users,dc=pinniped,dc=dev" pinniped_test_ldap_user_cn="pinny" pinniped_test_ldap_user_password=${ldap_test_password} @@ -682,6 +692,7 @@ if [[ "${JUMPCLOUD_LDAP_HOST:-no}" != "no" ]]; then pinniped_test_ldap_bind_account_password="$JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD" pinniped_test_ldap_users_search_base="$JUMPCLOUD_LDAP_USERS_SEARCH_BASE" pinniped_test_ldap_groups_search_base="$JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE" + pinniped_test_ldap_groups_search_filter="$JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER" pinniped_test_ldap_user_dn="$JUMPCLOUD_LDAP_USER_DN" pinniped_test_ldap_user_cn="$JUMPCLOUD_LDAP_USER_CN" pinniped_test_ldap_user_password="$JUMPCLOUD_LDAP_USER_PASSWORD" @@ -696,6 +707,31 @@ if [[ "${JUMPCLOUD_LDAP_HOST:-no}" != "no" ]]; then pinniped_test_ldap_expected_indirect_groups_cn="" fi +# Whether or not the tools namespace is deployed, we can configure the integration +# tests to use Jumpcloud instead of Okta LDAP as the LDAP provider. +if [[ "${OKTA_LDAP_HOST:-no}" != "no" ]]; then + pinniped_test_ldap_host="$OKTA_LDAP_HOST" + pinniped_test_ldap_starttls_only_host="$OKTA_LDAP_STARTTLS_ONLY_HOST" + pinniped_test_ldap_ldaps_ca_bundle="" + pinniped_test_ldap_bind_account_username="$OKTA_LDAP_BIND_ACCOUNT_USERNAME" + pinniped_test_ldap_bind_account_password="$OKTA_LDAP_BIND_ACCOUNT_PASSWORD" + pinniped_test_ldap_users_search_base="$OKTA_LDAP_USERS_SEARCH_BASE" + pinniped_test_ldap_groups_search_base="$OKTA_LDAP_GROUPS_SEARCH_BASE" + pinniped_test_ldap_groups_search_filter="$OKTA_LDAP_GROUPS_SEARCH_FILTER" + pinniped_test_ldap_user_dn="$OKTA_LDAP_USER_DN" + pinniped_test_ldap_user_cn="$OKTA_LDAP_USER_CN" + pinniped_test_ldap_user_password="$OKTA_LDAP_USER_PASSWORD" + pinniped_test_ldap_user_unique_id_attribute_name="$OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME" + pinniped_test_ldap_user_unique_id_attribute_value="$OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE" + pinniped_test_ldap_user_email_attribute_name="$OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME" + pinniped_test_ldap_user_email_attribute_value="$OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE" + pinniped_test_ldap_expected_direct_groups_dn="$OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN" + pinniped_test_ldap_expected_indirect_groups_dn="" + pinniped_test_ldap_expected_direct_groups_cn="$OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN" + pinniped_test_ldap_expected_direct_posix_groups_cn="$OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN" + pinniped_test_ldap_expected_indirect_groups_cn="" +fi + if [[ "${TEST_ACTIVE_DIRECTORY:-no}" == "yes" ]]; then # there's no way to test active directory locally... it has to be aws managed ad or nothing. # this is a separate toggle from $DEPLOY_TEST_TOOLS so we can run against ad once in the pr pipeline @@ -1203,6 +1239,7 @@ export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME='${pinniped_test_ldap_bind_accou export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD='${pinniped_test_ldap_bind_account_password}' export PINNIPED_TEST_LDAP_USERS_SEARCH_BASE='${pinniped_test_ldap_users_search_base}' export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE='${pinniped_test_ldap_groups_search_base}' +export PINNIPED_TEST_LDAP_GROUPS_SEARCH_FILTER='${pinniped_test_ldap_groups_search_filter}' export PINNIPED_TEST_LDAP_USER_DN='${pinniped_test_ldap_user_dn}' export PINNIPED_TEST_LDAP_USER_CN='${pinniped_test_ldap_user_cn}' export PINNIPED_TEST_LDAP_USER_PASSWORD='${pinniped_test_ldap_user_password}' diff --git a/pipelines/shared-tasks/deploy-to-integration-kubectl-apply/task.sh b/pipelines/shared-tasks/deploy-to-integration-kubectl-apply/task.sh index 8ad8785b9..9376b322c 100755 --- a/pipelines/shared-tasks/deploy-to-integration-kubectl-apply/task.sh +++ b/pipelines/shared-tasks/deploy-to-integration-kubectl-apply/task.sh @@ -175,6 +175,7 @@ pinniped_test_ldap_bind_account_username="cn=admin,dc=pinniped,dc=dev" pinniped_test_ldap_bind_account_password=password pinniped_test_ldap_users_search_base="ou=users,dc=pinniped,dc=dev" pinniped_test_ldap_groups_search_base="ou=groups,dc=pinniped,dc=dev" +pinniped_test_ldap_groups_search_filter="" pinniped_test_ldap_user_dn="cn=pinny,ou=users,dc=pinniped,dc=dev" pinniped_test_ldap_user_cn="pinny" pinniped_test_ldap_user_password=${ldap_test_password} @@ -291,6 +292,7 @@ export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME='${pinniped_test_ldap_bind_accou export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD='${pinniped_test_ldap_bind_account_password}' export PINNIPED_TEST_LDAP_USERS_SEARCH_BASE='${pinniped_test_ldap_users_search_base}' export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE='${pinniped_test_ldap_groups_search_base}' +export PINNIPED_TEST_LDAP_GROUPS_SEARCH_FILTER='${pinniped_test_ldap_groups_search_filter}' export PINNIPED_TEST_LDAP_USER_DN='${pinniped_test_ldap_user_dn}' export PINNIPED_TEST_LDAP_USER_CN='${pinniped_test_ldap_user_cn}' export PINNIPED_TEST_LDAP_USER_PASSWORD='${pinniped_test_ldap_user_password}' diff --git a/pipelines/shared-tasks/deploy-to-integration/task.yml b/pipelines/shared-tasks/deploy-to-integration/task.yml index e949e2d34..8d5bd0c5c 100644 --- a/pipelines/shared-tasks/deploy-to-integration/task.yml +++ b/pipelines/shared-tasks/deploy-to-integration/task.yml @@ -1,4 +1,4 @@ -# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 --- @@ -75,6 +75,7 @@ params: JUMPCLOUD_LDAP_BIND_ACCOUNT_USERNAME: JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD: JUMPCLOUD_LDAP_USERS_SEARCH_BASE: + JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER: JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE: JUMPCLOUD_LDAP_USER_DN: JUMPCLOUD_LDAP_USER_CN: @@ -87,7 +88,26 @@ params: JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_CN: JUMPCLOUD_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN: - # only needed when wanting to test using GitHub as an identity provider + # only needed when wanting to test using Okta LDAP instead of OpenLDAP. + OKTA_LDAP_HOST: + OKTA_LDAP_STARTTLS_ONLY_HOST: + OKTA_LDAP_BIND_ACCOUNT_USERNAME: + OKTA_LDAP_BIND_ACCOUNT_PASSWORD: + OKTA_LDAP_USERS_SEARCH_BASE: + OKTA_LDAP_GROUPS_SEARCH_BASE: + OKTA_LDAP_GROUPS_SEARCH_FILTER: + OKTA_LDAP_USER_DN: + OKTA_LDAP_USER_CN: + OKTA_LDAP_USER_PASSWORD: + OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME: + OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE: + OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME: + OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE: + OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN: + OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN: + OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN: + + # only needed when wanting to test using GitHub as an identity provider PINNIPED_TEST_GITHUB_APP_CLIENT_ID: PINNIPED_TEST_GITHUB_APP_CLIENT_SECRET: PINNIPED_TEST_GITHUB_OAUTH_APP_CLIENT_ID: