From 6ae325698bdb6ca6a763bd5139b3e7c067dcef7e Mon Sep 17 00:00:00 2001
From: Mostyn Bramley-Moore <mostyn@antipode.se>
Date: Sun, 11 Aug 2024 15:59:35 +0200
Subject: [PATCH] [ldap] regenerate command line flag help for README.md

---
 README.md            | 25 ++++++++++---------------
 utils/flags/flags.go |  2 +-
 2 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index b81f7b13c..2756d4ebd 100644
--- a/README.md
+++ b/README.md
@@ -220,10 +220,9 @@ OPTIONS:
       [$BAZEL_REMOTE_TLS_KEY_FILE]
 
    --allow_unauthenticated_reads If authentication is enabled
-      (--htpasswd_file, --tls_ca_file or --ldap.url), allow unauthenticated
-      clients read access. (default: false, i.e. if authentication is required,
-      read-only requests must also be authenticated)
-      [$BAZEL_REMOTE_UNAUTHENTICATED_READS]
+      (--htpasswd_file or --tls_ca_file), allow unauthenticated clients read
+      access. (default: false, ie if authentication is required, read-only
+      requests must also be authenticated) [$BAZEL_REMOTE_UNAUTHENTICATED_READS]
 
    --idle_timeout value The maximum period of having received no request
       after which the server will shut itself down. (default: 0s, ie disabled)
@@ -294,8 +293,8 @@ OPTIONS:
       [$BAZEL_REMOTE_GCS_JSON_CREDENTIALS_FILE]
 
    --ldap.url value The LDAP URL which may include a port. LDAP over SSL
-      (LDAPs) is supported.
-      [$BAZEL_REMOTE_LDAP_URL]
+      (LDAPs) is also supported. Note that this feature is currently considered
+      experimental. [$BAZEL_REMOTE_LDAP_URL]
 
    --ldap.base_dn value The distinguished name of the search base.
       [$BAZEL_REMOTE_LDAP_BASE_DN]
@@ -303,23 +302,19 @@ OPTIONS:
    --ldap.bind_user value The user who is allowed to perform a search within
       the base DN. If none is specified the connection and the search is
       performed without an authentication. It is recommended to use a read-only
-      account.
-      [$BAZEL_REMOTE_LDAP_BIND_USER]
+      account. [$BAZEL_REMOTE_LDAP_BIND_USER]
 
    --ldap.bind_password value The password of the bind user.
       [$BAZEL_REMOTE_LDAP_BIND_PASSWORD]
 
    --ldap.username_attribute value The user attribute of a connecting user.
-      (default: "uid")
-      [$BAZEL_REMOTE_LDAP_USER_ATTRIBUTE]
+      (default: "uid") [$BAZEL_REMOTE_LDAP_USER_ATTRIBUTE]
 
-   --ldap.groups value Filter clause for searching groups. This option can be
-      given multiple times and the groups are OR connected in the search query.
-      [$BAZEL_REMOTE_LDAP_GROUPS]
+   --ldap.groups_query value Filter clause for searching groups.
+      [$BAZEL_REMOTE_LDAP_GROUPS_QUERY]
 
    --ldap.cache_time value The amount of time to cache a successful
-      authentication in seconds. (default 3600)
-      [$BAZEL_REMOTE_LDAP_CACHE_TIME]
+      authentication in seconds. (default: 3600) [$BAZEL_REMOTE_LDAP_CACHE_TIME]
 
    --s3.endpoint value The S3/minio endpoint to use when using S3 proxy
       backend. [$BAZEL_REMOTE_S3_ENDPOINT]
diff --git a/utils/flags/flags.go b/utils/flags/flags.go
index 3f996a5c1..a385bd549 100644
--- a/utils/flags/flags.go
+++ b/utils/flags/flags.go
@@ -257,7 +257,7 @@ func GetCliFlags() []cli.Flag {
 		&cli.StringFlag{
 			Name:    "ldap.url",
 			Value:   "",
-			Usage:   "The LDAP URL which may include a port. LDAP over SSL (LDAPs) is supported.",
+			Usage:   "The LDAP URL which may include a port. LDAP over SSL (LDAPs) is also supported. Note that this feature is currently considered experimental.",
 			EnvVars: []string{"BAZEL_REMOTE_LDAP_URL"},
 		},
 		&cli.StringFlag{