Add upgrade notes for LDAP

2016-07-25 09:07:52 -04:00 · 2016-07-25 09:07:52 -04:00 · 3002799c26
parent 118939238b
commit 3002799c26
1 changed files with 21 additions and 0 deletions
--- a/website/source/docs/install/upgrade-to-0.6.1.html.md
+++ b/website/source/docs/install/upgrade-to-0.6.1.html.md
@ -33,3 +33,24 @@ If you are already using DynamoDB in an HA fashion and wish to keep doing so,
 it is *very important* that you set this option before upgrading your Vault
 instances. Without doing so, each Vault instance will believe that it is
 standalone and there will be consistency issues.
+
+## LDAP Auth Backend Does Not Search `memberOf`
+
+The LDAP backend went from a model where all permutations of storing and
+filtering groups were tried in all cases to one where specific filters are
+defined by the administrator. This vastly increases overall directory
+compatibility, especially with Active Directory when using nested groups, but
+unfortunately has the side effect that `memberOf` is no longer searched for by
+default, which is a breaking change for many existing setups. 
+
+`Scenario 2` in the [updated
+documentation](https://github.com/hashicorp/vault/blob/master/website/source/docs/auth/ldap.html.md)
+shows an example of configuring the backend to query `memberOf`. It is
+recommended that a test Vault server be set up and that successful
+authentication can be performed using the new configuration before upgrading a
+primary or production Vault instance.
+
+In addition, if LDAP is relied upon for authentication, operators should ensure
+that they have valid tokens with policies allowing modification of LDAP
+parameters before upgrading, so that once an upgrade is performed, the new
+configuration can be specified successfully.