> Thomas Skinner <tho...@atskinner.net> hat am 24.03.2025 03:37 CET geschrieben:
> 
>  
> Signed-off-by: Thomas Skinner <tho...@atskinner.net>
> ---
>  pveum.adoc | 37 +++++++++++++++++++++++++++++++++++++
>  1 file changed, 37 insertions(+)
> 
> diff --git a/pveum.adoc b/pveum.adoc
> index 81565ab..5da0e98 100644
> --- a/pveum.adoc
> +++ b/pveum.adoc
> @@ -456,6 +456,15 @@ use the `autocreate` option to automatically add new 
> users.
>  * `Username Claim` (`username-claim`): OpenID claim used to generate the 
> unique
>  username (`subject`, `username` or `email`).
>  
> +* `Autocreate Groups` (`groups-autocreate`): Create all groups in the claim
> +instead of using existing PVE groups (default behavior).
> +
> +* `Groups Claim` (`groups-claim`): OpenID claim used to retrieve the groups 
> from
> +the ID token or userinfo endpoint.
> +
> +* `Overwrite Groups` (`groups-overwrite`): Overwrite all groups assigned to 
> user
> +instead of appending to existing groups (default behavior).
> +
>  Username mapping
>  ^^^^^^^^^^^^^^^^
>  
> @@ -479,6 +488,34 @@ Another option is to use `email`, which also yields 
> human readable
>  usernames. Again, only use this setting if the server guarantees the
>  uniqueness of this attribute.
>  
> +Groups mapping
> +^^^^^^^^^^^^^^
> +
> +Specifying the `groups-claim` setting in the OpenID configuration enables 
> group
> +mapping functionality. The data provided in the `groups-claim` should be
> +a list of strings that correspond to groups that a user should be a member 
> of in
> +{pve}. To prevent collisions, group names from the OpenID claim are suffixed 
> +with `-<realm name>` (e.g. for the OpenID group name `my-openid-group` in 
> the 
> +realm `oidc`, the group name in {pve} would be `my-openid-group-oidc`).
> +
> +Any groups reported by the OpenID provider that do not exist in {pve} are
> +ignored by default. If all groups reported by the OpenID provider should 
> exist
> +in {pve}, the `groups-autocreate` option may be used to automatically create
> +these groups on user logins.
> +
> +By default, groups are appended to the user's existing groups. It may be 
> +desirable to overwrite any groups that the user is already a member in {pve}
> +with those from the OpenID provider. Enabling the `groups-overwrite` setting
> +removes all groups from the user in {pve} before adding the groups reported 
> by
> +the OpenID provider.
> +
> +In some cases, OpenID servers may send groups claims which include invalid
> +characters for {pve} group IDs. Any groups that contain characters not 
> allowed
> +in a {pve} group name are not included and a warning will be sent to the 
> logs.
> +
> +Advanced settings
> +^^^^^^^^^^^^^^^^^
These 2 lines need to be removed, otherwise xmllint fails validation.

Maybe this could be fixed up when applying if there are no other
issues with the patches?


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to