From 2cad9a3d07e7d381ac833081e572125e4483cfb9 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 5 May 2021 11:48:07 +0200
Subject: [PATCH] website/docs: add LDAP Outpost docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/pages/outposts/OutpostForm.ts |  2 +-
 website/docs/outposts/ldap.md         | 42 +++++++++++++++++++++++++++
 website/docs/releases/next.md         | 12 ++++++++
 website/sidebars.js                   |  1 +
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 website/docs/outposts/ldap.md

diff --git a/web/src/pages/outposts/OutpostForm.ts b/web/src/pages/outposts/OutpostForm.ts
index dfec1651e..24d531a40 100644
--- a/web/src/pages/outposts/OutpostForm.ts
+++ b/web/src/pages/outposts/OutpostForm.ts
@@ -51,7 +51,7 @@ export class OutpostForm extends Form<Outpost> {
                 name="type">
                 <select class="pf-c-form-control">
                     <option value=${OutpostTypeEnum.Proxy} ?selected=${this.outpost?.type === OutpostTypeEnum.Proxy}>${t`Proxy`}</option>
-                    <option value=${OutpostTypeEnum.Ldap} ?selected=${this.outpost?.type === OutpostTypeEnum.Ldap}>${t`LDAP`}</option>
+                    <option value=${OutpostTypeEnum.Ldap} ?selected=${this.outpost?.type === OutpostTypeEnum.Ldap}>${t`LDAP (Technical preview)`}</option>
                 </select>
             </ak-form-element-horizontal>
             <ak-form-element-horizontal
diff --git a/website/docs/outposts/ldap.md b/website/docs/outposts/ldap.md
new file mode 100644
index 000000000..c3fc75988
--- /dev/null
+++ b/website/docs/outposts/ldap.md
@@ -0,0 +1,42 @@
+---
+title: LDAP Outpost
+---
+
+:::info
+This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues)
+:::
+
+You can configure an LDAP Provider for applications that don't support any newer protocols or require LDAP.
+
+All users and groups in authentik's database are searchable. Currently, there is a limited support for filters (you can only search for objectClass), but this will be expanded in further releases.
+
+Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works.
+
+You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.
+
+Users are available under `cn=users,<base DN>` and groups under `cn=groups,<base DN>`.
+
+The following fields are currently sent for users:
+
+- cn: User's username
+- uid: Unique user identifier
+- name: User's name
+- displayName: User's name
+- mail: User's email address
+- objectClass: A list of these strings:
+  - "user"
+  - "organizationalPerson"
+  - "goauthentik.io/ldap/user"
+- accountStatus: "active" if the account is active, otherwise "inactive"
+- superuser: "active" if the account is part of a group with superuser permissions, otherwise "inactive"
+- memberOf: A list of all DNs that the user is a member of
+
+The following fields are current set for groups:
+
+- cn: The group's name
+- uid: Unique group identifier
+- objectClass: A list of these strings:
+  - "user"
+  - "goauthentik.io/ldap/group"
+
+**Additionally**, for both users and groups, any attributes you set are also present as LDAP Attributes.
diff --git a/website/docs/releases/next.md b/website/docs/releases/next.md
index 0fa632395..fdbcf2c3b 100644
--- a/website/docs/releases/next.md
+++ b/website/docs/releases/next.md
@@ -4,6 +4,18 @@ title: Next
 
 ## Headline Changes
 
+- LDAP Provider
+
+:::info
+This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues)
+:::
+
+    You can now configure an LDAP Provider for applications that don't support any newer protocols or require LDAP.
+
+    All users and groups in authentik's database are searchable. Currently, there is a limited support for filters (you can only search for objectClass), but this will be expanded in further releases.
+
+    Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works.
+
 - Compatibility with forwardAuth/auth_request
 
     The authentik proxy is now compatible with forwardAuth (traefik) / auth_request (nginx). All that is required is the latest version of the outpost,
diff --git a/website/sidebars.js b/website/sidebars.js
index 7edd7b216..0129a9ffa 100644
--- a/website/sidebars.js
+++ b/website/sidebars.js
@@ -35,6 +35,7 @@ module.exports = {
             items: [
                 "outposts/outposts",
                 "outposts/proxy",
+                "outposts/ldap",
                 "outposts/upgrading",
                 "outposts/manual-deploy-docker-compose",
                 "outposts/manual-deploy-kubernetes",