From da9508f839bdf86493e9e45f646e7af16bdf1965 Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Tue, 3 Jun 2025 19:31:04 +0200
Subject: [PATCH] website/docs: add LDAP docs for forward deletion and
 `memberUid` (cherry-pick #14814) (#14848)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

website/docs: add LDAP docs for forward deletion and `memberUid` (#14814)

* website/docs: add LDAP docs for forward deletion and `memberUid`

* reword LDAP docs



---------

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 web/src/admin/sources/ldap/LDAPSourceForm.ts  |  4 ++--
 website/docs/releases/2025/v2025.6.md         |  4 ++--
 .../sources/protocols/ldap/index.md           | 19 +++++++++++--------
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/web/src/admin/sources/ldap/LDAPSourceForm.ts b/web/src/admin/sources/ldap/LDAPSourceForm.ts
index c0ff548aaa..58e4f9b79b 100644
--- a/web/src/admin/sources/ldap/LDAPSourceForm.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceForm.ts
@@ -361,7 +361,7 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                         <p class="pf-c-form__helper-text">${placeholderHelperText}</p>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
-                        label=${msg("Addition User DN")}
+                        label=${msg("Additional User DN")}
                         name="additionalUserDn"
                     >
                         <input
@@ -374,7 +374,7 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                         </p>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
-                        label=${msg("Addition Group DN")}
+                        label=${msg("Additional Group DN")}
                         name="additionalGroupDn"
                     >
                         <input
diff --git a/website/docs/releases/2025/v2025.6.md b/website/docs/releases/2025/v2025.6.md
index bddaae44d6..b8994568a4 100644
--- a/website/docs/releases/2025/v2025.6.md
+++ b/website/docs/releases/2025/v2025.6.md
@@ -15,7 +15,7 @@ To try out the release candidate, replace your Docker image tag with the latest
 
 - **Email verification compatibility with link scanners**: We have improved compatibility for environments that have automated scanning software that inadvertently invalidated one-time links sent by authentik.
 
-- **LDAP source sync forward deletions**: This option synchronizes the deletion of users (those created by LDAP sources) in authentik when they are removed in the LDAP source.
+- **LDAP source sync forward deletions**: This option synchronizes the deletion of users and groups from LDAP sources to authentik.
 
 ## Breaking changes
 
@@ -34,7 +34,7 @@ To try out the release candidate, replace your Docker image tag with the latest
 
 - **mTLS stage**: :ak-enterprise The Mutual TLS stage enables authentik to use client certificates to enroll and authenticate users. These certificates can be local to the device or available via PIV Smart Cards, Yubikeys, etc. For environments where certificates are already rolled out, this can make authentication a lot more seamless. Refer to our [technical documentation](../add-secure-apps/flows-stages/stages/mtls/) for more information.
 - **Email verification compatibility with link scanners**: We have improved compatibility for environments with automated scanning software that inadvertently invalidated one-time links sent by authentik.
-- **LDAP source sync forward deletions**: With this option enabled, users who were created in authentik via LDAP sources will also be removed from authentik if they are deleted from the LDAP source. For more information, please refer to our [LDAP source documentation](../users-sources/sources/protocols/ldap/).
+- **LDAP source sync forward deletions**: With this option enabled, users or groups created in authentik via LDAP sources will also be removed from authentik if they are deleted from the LDAP source. For more information, please refer to our [LDAP source documentation](../users-sources/sources/protocols/ldap/).
 - **Provider sync performance**: We have implemented parallel scheduling for outgoing syncs to provide faster synchronization.
 - **Branding**: Custom branding should now be more consistent on initial load, without flickering.
 - **Remote Access Control (RAC) improved documentation**: Adds content about how to authenticate using a public key and improves the wording and formatting throughout the topic.
diff --git a/website/docs/users-sources/sources/protocols/ldap/index.md b/website/docs/users-sources/sources/protocols/ldap/index.md
index 87078a82ca..139805e9f2 100644
--- a/website/docs/users-sources/sources/protocols/ldap/index.md
+++ b/website/docs/users-sources/sources/protocols/ldap/index.md
@@ -12,14 +12,14 @@ For FreeIPA, follow the [FreeIPA Integration](../../directory-sync/freeipa/index
 
 ## Configuration options for LDAP sources
 
-To create or edit a source in authentik, open the Admin interface and navigate to **Directory > Ferderation and Social login**. There you can create a new LDAP source, or edit an existing one, using the following settings.
+To create or edit a source in authentik, open the Admin interface and navigate to **Directory > Federation and Social login**. There you can create a new LDAP source, or edit an existing one, using the following settings.
 
 - **Enabled**: Toggle this option on to allow authentik to use the defined LDAP source.
 - **Update internal password on login**: When the user logs in to authentik using the LDAP password backend, the password is stored as a hashed value in authentik. Toggle off (default setting) if you do not want to store the hashed passwords in authentik.
 - **Sync users**: Enable or disable user synchronization between authentik and the LDAP source.
 - **User password writeback**: Enable this option if you want to write password changes that are made in authentik back to LDAP.
-- **Sync groups**: Enable/disable group synchronization. Groups are synced in the background every 5 minutes.
-- **Parent group**: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group.
+- **Sync groups**: Enable/disable group synchronization between authentik and the LDAP source.
+- **Delete Not Found Objects**: :ak-version[2025.6] This option synchronizes user and group deletions from LDAP sources to authentik. User deletion requires enabling **Sync users** and group deletion requires enabling **Sync groups**.
 
 #### Connection settings
 
@@ -29,9 +29,9 @@ To create or edit a source in authentik, open the Admin interface and navigate t
     - **Use Server URI for SNI verification**: this setting is required for servers using TLS 1.3+
 
 - **TLS Verification Certificate**: Specify a keypair to validate the remote certificate.
-- **TLS Client authentication**: Client certificate keypair to authenticate against the LDAP Server's Certificate.
+- **TLS Client authentication certificate**: Client certificate keypair to authenticate against the LDAP Server's Certificate.
 - **Bind CN**: CN of the bind user. This can also be a UPN in the format of `user@domain.tld`.
-- **Bind password**: Password used during the bind process.
+- **Bind Password**: Password used during the bind process.
 - **Base DN**: Base DN (distinguished name) used for all LDAP queries.
 
 #### LDAP Attribute mapping
@@ -44,14 +44,17 @@ To create or edit a source in authentik, open the Admin interface and navigate t
 
 #### Additional Settings
 
-- **Group**: Parent group for all the groups imported from LDAP.
+- **Parent Group**: Parent group for all the groups imported from LDAP. An example use case would be to import Active Directory groups under a root `imported-from-ad` group.
 - **User path**: Path template for all new users created.
-- **Addition User DN**: Prepended to the base DN for user queries.
-- **Addition Group DN**: Prepended to the base DN for group queries.
+- **Additional User DN**: Prepended to the base DN for user queries.
+- **Additional Group DN**: Prepended to the base DN for group queries.
 - **User object filter**: Consider objects matching this filter to be users.
 - **Group object filter**: Consider objects matching this filter to be groups.
 - **Lookup using a user attribute**: Acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories with nested groups memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field.
 - **Group membership field**: The user object attribute or the group object attribute that determines the group membership for a user. If **Lookup using a user attribute** is set, this should be a user object attribute, otherwise a group object attribute.
+- **User membership attribute**: Attribute name on authentik user objects which is checked against the **Group membership field**. Two common cases are:
+    - If your groups have `member` attributes containing DNs, set this to `distinguishedName`. (The `distinguishedName` attribute for User objects in authentik is set automatically.)
+    - If your groups have `memberUid` attributes containing `uid`s, set this to `uid`. Make sure that you've created a property mapping that creates an attribute called `uid`.
 - **Object uniqueness field**: This field contains a unique identifier.
 
 ## LDAP source property mappings