website/docs: add LDAP 'Lookup using user attribute' docs (#13966)

* website/docs: add LDAP 'Lookup using user attribute' docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Updated the doc to new template, removed incorrect screenshot, clarified instructions

* Change in group field explanation as per Marc's comment

* Added examples for filters and changed some language.

* Removed additional info link

* fixup

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Minor formatting changes

* Update website/docs/users-sources/sources/protocols/ldap/index.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/users-sources/sources/directory-sync/active-directory/index.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/users-sources/sources/directory-sync/active-directory/index.md

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Added more information to service account creation and LDAPS testing

* Added examples for fields based on issue #3801

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Dominic R <dominic@sdko.org>

website/docs/users-sources/sources/protocols/ldap/index.md

@@ -12,18 +12,13 @@ For FreeIPA, follow the [FreeIPA Integration](../../directory-sync/freeipa/index
 
 ## Configuration options for LDAP sources
 
-To create or edit a source in authentik, open the Admin interface and navigate to **Directory -> Ferderation and Social login**. There you can create a new LDAP source, or edit an existing one, using the following settings.
+To create or edit a source in authentik, open the Admin interface and navigate to **Directory > Ferderation and Social login**. There you can create a new LDAP source, or edit an existing one, using the following settings.
 
 - **Enabled**: Toggle this option on to allow authentik to use the defined LDAP source.
-
 - **Update internal password on login**: When the user logs in to authentik using the LDAP password backend, the password is stored as a hashed value in authentik. Toggle off (default setting) if you do not want to store the hashed passwords in authentik.
-
 - **Sync users**: Enable or disable user synchronization between authentik and the LDAP source.
-
 - **User password writeback**: Enable this option if you want to write password changes that are made in authentik back to LDAP.
-
 - **Sync groups**: Enable/disable group synchronization. Groups are synced in the background every 5 minutes.
-
 - **Parent group**: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group.
 
 #### Connection settings
@@ -34,13 +29,9 @@ To create or edit a source in authentik, open the Admin interface and navigate t
     - **Use Server URI for SNI verification**: this setting is required for servers using TLS 1.3+
 
 - **TLS Verification Certificate**: Specify a keypair to validate the remote certificate.
-
 - **TLS Client authentication**: Client certificate keypair to authenticate against the LDAP Server's Certificate.
-
 - **Bind CN**: CN of the bind user. This can also be a UPN in the format of `user@domain.tld`.
-
 - **Bind password**: Password used during the bind process.
-
 - **Base DN**: Base DN (distinguished name) used for all LDAP queries.
 
 #### LDAP Attribute mapping
@@ -54,19 +45,13 @@ To create or edit a source in authentik, open the Admin interface and navigate t
 #### Additional Settings
 
 - **Group**: Parent group for all the groups imported from LDAP.
-
 - **User path**: Path template for all new users created.
-
 - **Addition User DN**: Prepended to the base DN for user queries.
-
 - **Addition Group DN**: Prepended to the base DN for group queries.
-
 - **User object filter**: Consider objects matching this filter to be users.
-
 - **Group object filter**: Consider objects matching this filter to be groups.
-
-- **Group membership field**: This field contains the user's group memberships.
-
+- **Lookup using a user attribute**: Acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories with nested groups memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field.
+- **Group membership field**: The user object attribute or the group object attribute that determines the group membership for a user. If **Lookup using a user attribute** is set, this should be a user object attribute, otherwise a group object attribute.
 - **Object uniqueness field**: This field contains a unique identifier.
 
 ## LDAP source property mappings
@@ -90,14 +75,14 @@ return {
 
 LDAP property mappings are used when you define a LDAP source. These mappings define which LDAP property maps to which authentik property. By default, the following mappings are created:
 
-- authentik default Active Directory Mapping: givenName
-- authentik default Active Directory Mapping: sAMAccountName
-- authentik default Active Directory Mapping: sn
-- authentik default Active Directory Mapping: userPrincipalName
-- authentik default LDAP Mapping: mail
-- authentik default LDAP Mapping: Name
-- authentik default OpenLDAP Mapping: cn
-- authentik default OpenLDAP Mapping: uid
+- `authentik default Active Directory Mapping: givenName`
+- `authentik default Active Directory Mapping: sAMAccountName`
+- `authentik default Active Directory Mapping: sn`
+- `authentik default Active Directory Mapping: userPrincipalName`
+- `authentik default LDAP Mapping: mail`
+- `authentik default LDAP Mapping: Name`
+- `authentik default OpenLDAP Mapping: cn`
+- `authentik default OpenLDAP Mapping: uid`
 
 These are configured with most common LDAP setups.