Ad warnings for LDAP multi-value fields (v24 only)

7ea51801 · CI Runner · 840d9bc5 · 7ea51801 · 7ea51801
Commit 7ea51801 authored Feb 04, 2019 by CI Runner
--- a/_docs/ldap_authentication.md
+++ b/_docs/ldap_authentication.md
@@ -94,7 +94,7 @@ If this key is not set, or null, then the DN of the LDAP entry is used.
 |---|---|
 | userbase | Specifies the subtree in the directory where user information is stored |
 | usersearch | The actual LDAP query that Search Guard executes when trying to authenticate a user. The variable {0} is substituted with the username.|
-| username_attribute | Search Guard uses this attribute of the directory entry to look for the user name. If set to null, the DN is used (default). |
+| username_attribute | Search Guard uses this attribute of the directory entry to look for the user name. If set to null, the DN is used (default). If this references a multi-value field it is undefined which value will be used. It's therefore not recommended to set it to a multi-value field.|

 ### Complete authentication example


--- a/_docs/ldap_authorisation.md
+++ b/_docs/ldap_authorisation.md
@@ -207,9 +207,9 @@ For more details refer to https://technet.microsoft.com/en-us/library/cc978012.a
 |---|---|
 | rolebase  | Specifies the subtree in the directory where role/group information is stored. |
 | rolesearch | The actual LDAP query that Search Guard executes when trying to determine the roles of a user. You can use three variables here (see below).|
-| userroleattribute  | The attribute in a user entry to use for `{2}` variable substitution. |
-| userrolename  | If the roles/groups of a user are not stored in the groups subtree, but as an attribute of the user's directory entry, define this attribute name here. |
-| rolename  | The attribute of the role entry which should be used as role name. |
+| userroleattribute  | The attribute in a user entry to use for `{2}` variable substitution. If this references a multi-value field it is undefined which value will be used. It's therefore not recommended to set it to a multi-value field.|
+| userrolename  | If the roles/groups of a user are not stored in the groups subtree, but as an attribute of the user's directory entry, define this attribute name here. If this references a multi-value field it is undefined which value will be used. It's therefore not recommended to set it to a multi-value field.|
+| rolename  | The attribute of the role entry which should be used as role name. If this references a multi-value field it is undefined which value will be used. It's therefore not recommended to set it to a multi-value field.|
 | resolve\_nested\_roles  | Boolean, whether or not to resolve nested roles transitively (roles which are members of other roles and so on ...), default: false. |
 | skip_users  | Array of users that should be skipped when retrieving roles. Wildcards and regular expressions are supported.  |
 | nested\_role\_filter  | Array of role DNs that should be filtered before resolving nested roles. Wildcards and regular expressions are supported.  |