From 3dd200dbe55d28d151fb9312270438a26670c2f1 Mon Sep 17 00:00:00 2001
From: David Davtian <1940369+ddavtian@users.noreply.github.com>
Date: Sun, 21 May 2023 10:53:15 -0700
Subject: [PATCH] website/integrations: update vcenter docs (#5706)

* Update index.md

Updates to include details for integrating with Authentik's LDAP outpost.

Signed-off-by: David Davtian <1940369+ddavtian@users.noreply.github.com>

* slight cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: David Davtian <1940369+ddavtian@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
---
 .../services/vmware-vcenter/index.md          | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/website/integrations/services/vmware-vcenter/index.md b/website/integrations/services/vmware-vcenter/index.md
index cf377c2b9..90bfa8d41 100644
--- a/website/integrations/services/vmware-vcenter/index.md
+++ b/website/integrations/services/vmware-vcenter/index.md
@@ -31,7 +31,7 @@ The following placeholders will be used:
 -   `vcenter.company` is the FQDN of the vCenter server.
 -   `authentik.company` is the FQDN of the authentik install.
 
-Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have authentik sync with the same Active Directory.
+Since vCenter only allows OpenID-Connect in combination with Active Directory/LDAP, it is recommended to have authentik sync with the same Active Directory. You also have the option of connecting to an authentik managed LDAP outpost for user management.
 
 ### Step 1
 
@@ -43,6 +43,25 @@ return {
 }
 ```
 
+If you are using an authentik managed LDAP outpost you can use the following expression in your property mapping. This will correctly return the `groups` claim as a list of LDAP DNs instead of their names.
+
+```python
+ldap_base_dn = "DC=ldap,DC=goauthentik,DC=io"
+groups = []
+for group in request.user.ak_groups.all():
+    group_dn = f"CN={group.name},dc=groups,{ldap_base_dn}"
+    groups.append(group_dn)
+return {
+    "name": request.user.name,
+    "email": request.user.email,
+    "given_name": request.user.name,
+    "preferred_username": request.user.username,
+    "nickname": request.user.username,
+    "groups": groups,
+    "domain": "ldap.goauthentik.io"
+}
+```
+
 ### Step 2
 
 :::note
@@ -56,7 +75,7 @@ Under _Sources_, click _Edit_ and ensure that "authentik default Active Director
 Under _Providers_, create an OAuth2/OpenID provider with these settings:
 
 -   Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
--   Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...".
+-   Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". If you are using authentik's managed LDAP outpost, chose "Based on the User's username"
 -   Scopes: Select the Scope Mapping you've created in Step 1
 -   Signing Key: Select any available key