GUACAMOLE-793: Merge documentation for CAS properties for configuring group membership retrieval.
diff --git a/src/chapters/cas-auth.xml b/src/chapters/cas-auth.xml
index bd49657..fed8cdc 100644
--- a/src/chapters/cas-auth.xml
+++ b/src/chapters/cas-auth.xml
@@ -57,8 +57,11 @@
<primary>CAS authentication</primary>
<secondary>configuration</secondary>
</indexterm>
- <para>The CAS authentication extension provides two configuration properties, both
- of which are required.</para>
+ <para>Guacamole's CAS support requires specifying two properties that describe the CAS
+ authentication server and the Guacamole deployment. These properties are
+ <emphasis>absolutely required in all cases</emphasis>, as they dictate how
+ Guacamole should connect to the CAS and how CAS should redirect users back to
+ Guacamole once their identity has been confirmed:</para>
<variablelist>
<varlistentry>
<term><property>cas-authorization-endpoint</property></term>
@@ -74,12 +77,65 @@
this will be the full URL of your Guacamole installation.</para>
</listitem>
</varlistentry>
+ </variablelist>
+ <para>Additional optional properties are available to control how CAS tokens are
+ processed, including whether <link linkend="cas-clearpass">CAS ClearPass</link>
+ should be used and how user group memberships should be derived:</para>
+ <variablelist>
<varlistentry>
<term><property>cas-clearpass-key</property></term>
<listitem>
<para>If using CAS ClearPass to pass the SSO password to Guacamole, this
- parameter specifies the private key file to use to decrypt the
- password. See the section on ClearPass below.</para>
+ parameter specifies the private key file to use to decrypt the password.
+ See <link linkend="cas-clearpass">the section on ClearPass</link>
+ below.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><property>cas-group-attribute</property></term>
+ <listitem>
+ <para>The CAS attribute that determines group membership, typically
+ "<property>memberOf</property>". This parameter is only required if
+ using CAS to define user group memberships. If omitted, groups aren't
+ retrieved from CAS, and all other group-related properties for CAS are
+ ignored.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><property>cas-group-format</property></term>
+ <listitem>
+ <para>The format that CAS will use for its group names. Possible values are
+ <constant>plain</constant>, for groups that are simple text names,
+ or <constant>ldap</constant>, for groups that are represented as LDAP
+ DNs. If set to <constant>ldap</constant>, group names are always
+ determined from the last (leftmost) attribute of the DN. If omitted,
+ <constant>plain</constant> is used by default.</para>
+ <para>This property has no effect if
+ <property>cas-group-attribute</property> is not set.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><property>cas-group-ldap-base-dn</property></term>
+ <listitem>
+ <para>The base DN to require for LDAP-formatted CAS groups. If specified,
+ only CAS groups beneath this DN will be included, and all other CAS
+ groups will be ignored.</para>
+ <para>This property has no effect if <property>cas-group-format</property>
+ is not <constant>ldap</constant>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><property>cas-group-ldap-attribute</property></term>
+ <listitem>
+ <para>The LDAP attribute to require for LDAP-formatted CAS groups. If
+ specified, only CAS groups that use this attribute for the name of the
+ group will be included. Note that LDAP group names are <emphasis>always
+ determined from the last (leftmost) attribute of the DN</emphasis>.
+ Specifying this property will only have the effect of ignoring any
+ groups that do not use the specified attribute to represent the group
+ name.</para>
+ <para>This property has no effect if <property>cas-group-format</property>
+ is not <constant>ldap</constant>.</para>
</listitem>
</varlistentry>
</variablelist>
