Sorry, I didn't get to read v1 in time. Some nits regarding grammar,
reading flow and such inline:
Other than those:
Reviewed-By: Aaron Lauterer <a.laute...@proxmox.com>
On 4/30/20 2:27 PM, Dominik Csapak wrote:
explaining the main Requirements and limitations, as well as the
most important sync options
Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
changes from v1:
* incorporated suggestions from Alwin, thanks :)
* re-worded the sentence about limitations to specify the character
limitations of user.cfg
pveum.adoc | 47 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
diff --git a/pveum.adoc b/pveum.adoc
index c89d4b8..80b3385 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -170,6 +170,53 @@ A server and authentication domain need to be specified.
Like with
ldap an optional fallback server, optional port, and SSL
encryption can be configured.
+[[pveum_ldap_sync]]
+Syncing LDAP-based realms
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+It is possible to sync users and groups for LDAP based realms using
+ pveum sync <realm>
+or in the `Authentication` panel of the GUI to the user.cfg.
The last part `to the user.cfg` makes this sentence somewhat cumbersome
and hard to read.
Without knowing the full technical details, would it be okay to rewrite
it to:
"... or in the `Authentication` panel of the GUI. Users and groups are
synced to the `user.cfg`".
Or maybe even drop the mention of the user.cfg completely?
+
+Requirements and limitations
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The `bind_dn` is used to query the users and groups, so this account
s/, so this/. This/
+should be able to see all desired entries.
s/should be able to see/needs access to/
though this is just a preference of mine and not something that really
should be changed.
+
+The fields which represent the names of the users and groups can be configured
+via the `user_attr` and `group_name_attr` respectively. Only entries which
+adhere to the usual character limitations of the user.cfg are synced.
is there another chapter explaining the character limitations in the
user.cfg to which we could link to?
+
+Groups are synced with `-$realm` attached to the name, to avoid naming > +conflicts. Please make sure that a sync does not overwrite manually
created
+groups.
+
+Options
+^^^^^^^
+
+The main options for syncing are:
+
+* `dry-run`: No data is written to the config. This is useful if you want to
+ see which users and groups would get synced to the user.cfg. This is set
+ when you click `Preview` in the GUI.
+
+* `enable-new`: If set, the newly synced users are enabled and can login.
+ The default is `true`.
+
+* `full`: If set, the sync uses the LDAP Directory as a source of truth,
+ overwriting information set manually in the user.cfg and deleting users
+ and groups which are not returned. If not set, only new data is
possibly
s/returned/present in the LDAP/
to make it clearer?
+ written to the config, and no stale users are deleted.
+
+* `purge`: If set, sync removes all corresponding ACLs when removing users
+ and groups. This is only useful with the option `full`.
+
+* `scope`: The scope of what to sync. It can be either `users`, `groups` or
+ `both`.
+
+These options are either set as parameters or as defaults, via the
+realm option `sync-defaults-options`.
[[pveum_tfa_auth]]
Two-factor authentication
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
