Change some comments on API docs, fix lint error by ignoring it

2026-01-07 14:05:50 +00:00 · 2021-08-26 16:55:43 -07:00
parent 2d32e0fa7d
commit 43694777d5
16 changed files with 203 additions and 50 deletions
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -89,14 +89,20 @@ spec:
                          the ActiveDirectory server in the user's entry. E.g. "cn"
                          for common name. Distinguished names can be used by specifying
                          lower-case "dn". Optional. When not specified, this defaults
-                          to a custom field that looks like "sAMAccountName@domain".
+                          to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of
+                          the group DN.
                        type: string
                    type: object
                  base:
                    description: Base is the dn (distinguished name) that should be
                      used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
                      Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for groups.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some groups for security reasons or to make
+                      searches faster.
                    type: string
                  filter:
                    description: Filter is the ActiveDirectory search filter which
@@ -155,7 +161,10 @@ spec:
                    description: Base is the dn (distinguished name) that should be
                      used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
                      Optional, when not specified it will be based on the result
-                      of a query for the default naming context.
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for users.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some users or to make searches faster.
                    type: string
                  filter:
                    description: Filter is the search filter which should be applied
@@ -167,6 +176,12 @@ spec:
                      dn (distinguished name) is not an attribute of an entry, so
                      "dn={}" cannot be used. Optional. When not specified, the default
                      will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the
+                      sAMAccountType is for a normal user account, and is not shown
+                      in advanced view only (which would likely mean its a system
+                      created service account with advanced permissions). Also, either
+                      the sAMAccountName, the userPrincipalName, or the mail attribute
+                      matches the input username.
                    type: string
                type: object
            required: