AMBARI-18198. Doc updates about ldap sync related properties (oleewere)

ambari-server/docs/configuration/index.md

@@ -85,10 +85,10 @@ The following are the properties which can be used to configure Ambari.
 | authentication.ldap.primaryUrl | The LDAP URL used for connecting to an LDAP server when authenticating users. This should include both the host name and port. |`localhost:33389` | 
 | authentication.ldap.referral | Determines whether to follow LDAP referrals to other URLs when the LDAP controller doesn't have the requested object. |`follow` | 
 | authentication.ldap.secondaryUrl | A second LDAP URL to use as a backup when authenticating users. This should include both the host name and port. | | 
-| authentication.ldap.sync.groupMemberFilter | The default filter to use for syncing member from LDAP. | | 
-| authentication.ldap.sync.groupMemberReplacePattern | The default regex pattern to use when replacing the group member attribute ID value with a placeholder. This is used in cases where a UID of an LDAP member is not a full CN or unique ID<br/><br/>The following are examples of valid values:<ul><li>``${member}``</ul> | | 
-| authentication.ldap.sync.userMemberFilter | The default filter to use for syncing users from LDAP. | | 
-| authentication.ldap.sync.userMemberReplacePattern | The default regex pattern to use when replacing the user member attribute ID value with a placeholder. This is used in cases where a UID of an LDAP member is not a full CN or unique ID<br/><br/>The following are examples of valid values:<ul><li>``${member}``</ul> | | 
+| authentication.ldap.sync.groupMemberFilter | Filter to use for syncing group members of a group from LDAP. (by default it is not used)<br/><br/>The following are examples of valid values:<ul><li>`(&(objectclass=posixgroup)(cn={member}))`</ul> | | 
+| authentication.ldap.sync.groupMemberReplacePattern | Regex pattern to use when replacing the group member attribute ID value with a placeholder. This is used in cases where a UID of an LDAP member is not a full CN or unique ID (e.g.: `member: <SID=123>;<GID=123>;cn=myCn,dc=org,dc=apache`)<br/><br/>The following are examples of valid values:<ul><li>`(?<sid>.*);(?<guid>.*);(?<member>.*)`</ul> | | 
+| authentication.ldap.sync.userMemberFilter | Filter to use for syncing user members of a group from LDAP (by default it is not used).<br/><br/>The following are examples of valid values:<ul><li>`(&(objectclass=posixaccount)(uid={member}))`</ul> | | 
+| authentication.ldap.sync.userMemberReplacePattern | Regex pattern to use when replacing the user member attribute ID value with a placeholder. This is used in cases where a UID of an LDAP member is not a full CN or unique ID (e.g.: `member: <SID=123>;<GID=123>;cn=myCn,dc=org,dc=apache`)<br/><br/>The following are examples of valid values:<ul><li>`(?<sid>.*);(?<guid>.*);(?<member>.*)`</ul> | | 
 | authentication.ldap.useSSL | Determines whether to use LDAP over SSL (LDAPS). |`false` | 
 | authentication.ldap.userBase | The filter used when searching for users in LDAP. |`ou=people,dc=ambari,dc=apache,dc=org` | 
 | authentication.ldap.userObjectClass | The class to which user objects in LDAP belong. |`person` | 

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -1055,41 +1055,45 @@ public class Configuration {
       "authentication.ldap.pagination.enabled", "true");
 
   /**
-   * The default regex pattern to use when replacing the user member attribute
+   * Regex pattern to use when replacing the user member attribute
    * ID value with a placeholder. This is used in cases where a UID of an LDAP
    * member is not a full CN or unique ID.
    */
   @Markdown(
-      description = "The default regex pattern to use when replacing the user member attribute ID value with a placeholder. This is used in cases where a UID of an LDAP member is not a full CN or unique ID",
-      examples = { "`${member}`" })
+      description = "Regex pattern to use when replacing the user member attribute ID value with a placeholder. This is used in cases where a UID of an LDAP member is not a full CN or unique ID (e.g.: `member: <SID=123>;<GID=123>;cn=myCn,dc=org,dc=apache`)",
+      examples = { "(?<sid>.*);(?<guid>.*);(?<member>.*)" })
   public static final ConfigurationProperty<String> LDAP_SYNC_USER_MEMBER_REPLACE_PATTERN = new ConfigurationProperty<>(
       "authentication.ldap.sync.userMemberReplacePattern",
       LDAP_SYNC_MEMBER_REPLACE_PATTERN_DEFAULT);
 
   /**
-   * The default regex pattern to use when replacing the group member attribute
+   * Regex pattern to use when replacing the group member attribute
    * ID value with a placeholder. This is used in cases where a UID of an LDAP
    * member is not a full CN or unique ID.
    */
   @Markdown(
-      description = "The default regex pattern to use when replacing the group member attribute ID value with a placeholder. This is used in cases where a UID of an LDAP member is not a full CN or unique ID",
-      examples = { "`${member}`" })
+      description = "Regex pattern to use when replacing the group member attribute ID value with a placeholder. This is used in cases where a UID of an LDAP member is not a full CN or unique ID (e.g.: `member: <SID=123>;<GID=123>;cn=myCn,dc=org,dc=apache`)",
+      examples = { "(?<sid>.*);(?<guid>.*);(?<member>.*)" })
   public static final ConfigurationProperty<String> LDAP_SYCN_GROUP_MEMBER_REPLACE_PATTERN = new ConfigurationProperty<>(
       "authentication.ldap.sync.groupMemberReplacePattern",
       LDAP_SYNC_MEMBER_REPLACE_PATTERN_DEFAULT);
 
   /**
-   * The default filter to use for syncing users from LDAP.
+   * Filter to use for syncing user members of group from LDAP. (by default it is not used)
    */
-  @Markdown(description = "The default filter to use for syncing users from LDAP.")
+  @Markdown(
+    description = "Filter to use for syncing user members of a group from LDAP (by default it is not used).",
+    examples = {"(&(objectclass=posixaccount)(uid={member}))"})
   public static final ConfigurationProperty<String> LDAP_SYNC_USER_MEMBER_FILTER = new ConfigurationProperty<>(
       "authentication.ldap.sync.userMemberFilter",
       LDAP_SYNC_MEMBER_FILTER_DEFAULT);
 
   /**
-   * The default filter to use for syncing member from LDAP.
+   * Filter to use for syncing group members of a group from LDAP. (by default it is not used)
    */
-  @Markdown(description = "The default filter to use for syncing member from LDAP.")
+  @Markdown(
+    description = "Filter to use for syncing group members of a group from LDAP. (by default it is not used)",
+    examples = {"(&(objectclass=posixgroup)(cn={member}))"})
   public static final ConfigurationProperty<String> LDAP_SYNC_GROUP_MEMBER_FILTER = new ConfigurationProperty<>(
       "authentication.ldap.sync.groupMemberFilter",
       LDAP_SYNC_MEMBER_FILTER_DEFAULT);