From f778a58c7038cfdbb56d67f02dcfa2a91562c1a0 Mon Sep 17 00:00:00 2001 From: Ravind Kumar Date: Tue, 24 Jun 2025 10:48:37 -0400 Subject: [PATCH] Adding guidance around LDAP groups --- source/includes/common-minio-external-auth.rst | 8 +++++++- .../configure-ad-ldap-external-identity-management.rst | 4 ++++ source/reference/minio-server/settings/iam/ldap.rst | 7 ++++++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/source/includes/common-minio-external-auth.rst b/source/includes/common-minio-external-auth.rst index a53beedc..ee355948 100644 --- a/source/includes/common-minio-external-auth.rst +++ b/source/includes/common-minio-external-auth.rst @@ -278,6 +278,12 @@ For example: (&(objectclass=groupOfNames)(memberUid=%s)) + +When providing an AD/LDAP group search filter, configure a filter that returns the minimum number of relevant groups for the purpose of supporting authentication. +Filters that return large group assignments increase the size of associated calls and resources. +Functions sensitive to large request or response bodies may exhibit unexpected behaviors as a result. + + .. end-minio-ad-ldap-group-search-filter .. start-minio-ad-ldap-group-search-base-dn @@ -454,4 +460,4 @@ Defaults to off Specify a comment to associate to the external access management configuration. -.. end-minio-access-management-plugin-comment \ No newline at end of file +.. end-minio-access-management-plugin-comment diff --git a/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst b/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst index 1ea0260e..ef890587 100644 --- a/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst +++ b/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst @@ -191,6 +191,10 @@ An AD/LDAP user with no assigned policy *and* with membership in groups with no For complete documentation on these variables, see :ref:`minio-server-envvar-external-identity-management-ad-ldap` + When providing an AD/LDAP group search filter, configure a filter that returns the minimum number of relevant groups for the purpose of supporting authentication. + Filters that return large group assignments increase the size of associated calls and resources. + Functions sensitive to large request or response bodies may exhibit unexpected behaviors as a result. + 2) Restart the MinIO Deployment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/source/reference/minio-server/settings/iam/ldap.rst b/source/reference/minio-server/settings/iam/ldap.rst index 550deab9..89cda804 100644 --- a/source/reference/minio-server/settings/iam/ldap.rst +++ b/source/reference/minio-server/settings/iam/ldap.rst @@ -265,6 +265,11 @@ Group Search Filter .. include:: /includes/common-minio-external-auth.rst :start-after: start-minio-ad-ldap-group-search-filter :end-before: end-minio-ad-ldap-group-search-filter + +When providing an AD/LDAP group search filter, configure a filter that returns the minimum number of relevant groups for the purpose of supporting authentication. +Filters that return large group assignments increase the size of associated calls and resources. +Functions sensitive to large request or response bodies may exhibit unexpected behaviors as a result. + Group Search Base DN ~~~~~~~~~~~~~~~~~~~~ @@ -398,4 +403,4 @@ Comment .. include:: /includes/common-minio-external-auth.rst :start-after: start-minio-ad-ldap-comment - :end-before: end-minio-ad-ldap-comment \ No newline at end of file + :end-before: end-minio-ad-ldap-comment