add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
goauthentik · May 8, 2022 · 65aff04 · 65aff04
1 parent a9dc0af
commit 65aff04
Showing 1 changed file with 31 additions and 1 deletion.
diff --git a/website/docs/providers/ldap.md b/website/docs/providers/ldap.md
@@ -14,7 +14,7 @@ Note: This provider requires the deployment of the [LDAP Outpost](../outposts/)
 
 All users and groups in authentik's database are searchable. Currently, there is limited support for filters (you can only search for objectClass), but this will be expanded in further releases.
 
-Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works.
+Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. For more info, see [Bind modes](#bind-modes).
 
 You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.
 
@@ -78,3 +78,33 @@ This enables you to bind on port 636 using LDAPS, StartTLS is not supported.
 
 See the integration guide for [sssd](../../integrations/services/sssd/) for
 an example guide.
+
+## Bind Modes
+
+All bind modes rely on flows.
+
+The following stages are supported:
+
+  - [Identification](../flow/stages/identification/)
+  - [Password](../flow/stages/password/)
+  - [Authenticator validation](../flow/stages/authenticator_validate/)
+
+      Note: Authenticator validation currently only supports DUO devices
+
+#### Direct bind
+
+In this mode, the outpost will always execute the configured flow when a new bind request arrives.
+
+#### Cached bind
+
+This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does *not* remove them from the outpost, and neither will changing a users credentials.
+
+## Search Modes
+
+#### Direct search
+
+Every LDAP search request will trigger one or more requests to the authentik core API. This will always return the latest data, however also has a performance hit due all the layers the backend requests have to go through, etc.
+
+#### Cached search
+
+In this mode, the outpost will periodically fetch all users and groups from the backend, hold them in memory, and respond to search queries directly. This means greatly improved performance but potentially returning old/invalid data.