From aa1658efbaccefc20ed1291e25dad0cfc6e78657 Mon Sep 17 00:00:00 2001 From: Yoshi Automation Date: Tue, 26 Mar 2024 07:08:34 +0000 Subject: [PATCH] feat(gkehub): update the api #### gkehub:v1 The following keys were added: - resources.projects.resources.locations.resources.scopes.methods.listMemberships (Total Keys: 18) - resources.projects.resources.locations.resources.scopes.methods.listPermitted (Total Keys: 16) - schemas.IdentityServiceAuthMethod.properties.ldapConfig.$ref (Total Keys: 1) - schemas.IdentityServiceGroupConfig (Total Keys: 5) - schemas.IdentityServiceLdapConfig (Total Keys: 6) - schemas.IdentityServiceServerConfig (Total Keys: 6) - schemas.IdentityServiceServiceAccountConfig (Total Keys: 3) - schemas.IdentityServiceSimpleBindCredentials (Total Keys: 7) - schemas.IdentityServiceUserConfig (Total Keys: 6) - schemas.ListBoundMembershipsResponse (Total Keys: 7) - schemas.ListPermittedScopesResponse (Total Keys: 5) #### gkehub:v1alpha The following keys were added: - schemas.IdentityServiceAuthMethod.properties.ldapConfig.$ref (Total Keys: 1) - schemas.IdentityServiceGroupConfig (Total Keys: 5) - schemas.IdentityServiceLdapConfig (Total Keys: 6) - schemas.IdentityServiceServerConfig (Total Keys: 6) - schemas.IdentityServiceServiceAccountConfig (Total Keys: 3) - schemas.IdentityServiceSimpleBindCredentials (Total Keys: 7) - schemas.IdentityServiceUserConfig (Total Keys: 6) #### gkehub:v1beta The following keys were added: - resources.projects.resources.locations.resources.scopes.methods.listMemberships (Total Keys: 18) - resources.projects.resources.locations.resources.scopes.methods.listPermitted (Total Keys: 16) - schemas.IdentityServiceAuthMethod.properties.ldapConfig.$ref (Total Keys: 1) - schemas.IdentityServiceGroupConfig (Total Keys: 5) - schemas.IdentityServiceLdapConfig (Total Keys: 6) - schemas.IdentityServiceServerConfig (Total Keys: 6) - schemas.IdentityServiceServiceAccountConfig (Total Keys: 3) - schemas.IdentityServiceSimpleBindCredentials (Total Keys: 7) - schemas.IdentityServiceUserConfig (Total Keys: 6) - schemas.ListBoundMembershipsResponse (Total Keys: 7) - schemas.ListPermittedScopesResponse (Total Keys: 5) --- ...gkehub_v1.projects.locations.features.html | 300 ++++++++++++++++++ .../gkehub_v1.projects.locations.scopes.html | 186 +++++++++++ ...b_v1alpha.projects.locations.features.html | 300 ++++++++++++++++++ ...ub_v1beta.projects.locations.features.html | 300 ++++++++++++++++++ ...ehub_v1beta.projects.locations.scopes.html | 186 +++++++++++ .../discovery_cache/documents/gkehub.v1.json | 243 +++++++++++++- .../documents/gkehub.v1alpha.json | 123 ++++++- .../documents/gkehub.v1beta.json | 243 +++++++++++++- .../documents/gkehub.v1beta1.json | 2 +- .../documents/gkehub.v2alpha.json | 2 +- 10 files changed, 1880 insertions(+), 5 deletions(-) diff --git a/docs/dyn/gkehub_v1.projects.locations.features.html b/docs/dyn/gkehub_v1.projects.locations.features.html index f7fae4ab69..e346b016e5 100644 --- a/docs/dyn/gkehub_v1.projects.locations.features.html +++ b/docs/dyn/gkehub_v1.projects.locations.features.html @@ -189,6 +189,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -358,6 +383,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -646,6 +696,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -1029,6 +1104,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -1198,6 +1298,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -1486,6 +1611,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -1857,6 +2007,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -2026,6 +2201,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -2314,6 +2514,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -2641,6 +2866,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -2810,6 +3060,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. @@ -3098,6 +3373,31 @@

Method Details

"googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration. "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms. }, + "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration. + "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries. + "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". + "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". + }, + "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server. + "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. + "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. + "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". + }, + "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. + "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth. + "dn": "A String", # Required. The distinguished name(DN) of the service account object/user. + "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user. + "password": "A String", # Required. Input only. The password of the service account object/user. + }, + }, + "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory. + "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries. + "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". + "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". + "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". + }, + }, "name": "A String", # Identifier for auth config. "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration. "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider. diff --git a/docs/dyn/gkehub_v1.projects.locations.scopes.html b/docs/dyn/gkehub_v1.projects.locations.scopes.html index 41c974fdcd..aced32c941 100644 --- a/docs/dyn/gkehub_v1.projects.locations.scopes.html +++ b/docs/dyn/gkehub_v1.projects.locations.scopes.html @@ -102,6 +102,18 @@

Instance Methods

list(parent, pageSize=None, pageToken=None, x__xgafv=None)

Lists Scopes.

+

+ listMemberships(scopeName, filter=None, pageSize=None, pageToken=None, x__xgafv=None)

+

Lists Memberships bound to a Scope. The response includes relevant Memberships from all regions.

+

+ listMemberships_next()

+

Retrieves the next page of results.

+

+ listPermitted(parent, pageSize=None, pageToken=None, x__xgafv=None)

+

Lists permitted Scopes.

+

+ listPermitted_next()

+

Retrieves the next page of results.

list_next()

Retrieves the next page of results.

@@ -330,6 +342,180 @@

Method Details

} +
+ listMemberships(scopeName, filter=None, pageSize=None, pageToken=None, x__xgafv=None) + 
Lists Memberships bound to a Scope. The response includes relevant Memberships from all regions.
+
+Args:
+  scopeName: string, Required. Name of the Scope, in the format `projects/*/locations/global/scopes/*`, to which the Memberships are bound. (required)
+  filter: string, Optional. Lists Memberships that match the filter expression, following the syntax outlined in https://google.aip.dev/160. Currently, filtering can be done only based on Memberships's `name`, `labels`, `create_time`, `update_time`, and `unique_id`.
+  pageSize: integer, Optional. When requesting a 'page' of resources, `page_size` specifies number of resources to return. If unspecified or set to 0, all resources will be returned. Pagination is currently not supported; therefore, setting this field does not have any impact for now.
+  pageToken: string, Optional. Token returned by previous call to `ListBoundMemberships` which specifies the position in the list from where to continue listing the resources.
+  x__xgafv: string, V1 error format.
+    Allowed values
+      1 - v1 error format
+      2 - v2 error format
+
+Returns:
+  An object of the form:
+
+    { # List of Memberships bound to a Scope.
+  "memberships": [ # The list of Memberships bound to the given Scope.
+    { # Membership contains information about a member cluster.
+      "authority": { # Authority encodes how Google will recognize identities from this Membership. See the workload identity documentation for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity # Optional. How to identify workloads from this Membership. See the documentation on Workload Identity for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
+        "identityProvider": "A String", # Output only. An identity provider that reflects the `issuer` in the workload identity pool.
+        "issuer": "A String", # Optional. A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://` and be a valid URL with length <2000 characters, it must use `location` rather than `zone` for GKE clusters. If set, then Google will allow valid OIDC tokens from this issuer to authenticate within the workload_identity_pool. OIDC discovery will be performed on this URI to validate tokens from the issuer. Clearing `issuer` disables Workload Identity. `issuer` cannot be directly modified; it must be cleared (and Workload Identity disabled) before using a new issuer (and re-enabling Workload Identity).
+        "oidcJwks": "A String", # Optional. OIDC verification keys for this Membership in JWKS format (RFC 7517). When this field is set, OIDC discovery will NOT be performed on `issuer`, and instead OIDC tokens will be validated using this field.
+        "workloadIdentityPool": "A String", # Output only. The name of the workload identity pool in which `issuer` will be recognized. There is a single Workload Identity Pool per Hub that is shared between all Memberships that belong to that Hub. For a Hub hosted in {PROJECT_ID}, the workload pool format is `{PROJECT_ID}.hub.id.goog`, although this is subject to change in newer versions of this API.
+      },
+      "createTime": "A String", # Output only. When the Membership was created.
+      "deleteTime": "A String", # Output only. When the Membership was deleted.
+      "description": "A String", # Output only. Description of this membership, limited to 63 characters. Must match the regex: `a-zA-Z0-9*` This field is present for legacy purposes.
+      "endpoint": { # MembershipEndpoint contains information needed to contact a Kubernetes API, endpoint and any additional Kubernetes metadata. # Optional. Endpoint information to reach this member.
+        "applianceCluster": { # ApplianceCluster contains information specific to GDC Edge Appliance Clusters. # Optional. Specific information for a GDC Edge Appliance cluster.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the Appliance Cluster. For example: //transferappliance.googleapis.com/projects/my-project/locations/us-west1-a/appliances/my-appliance
+        },
+        "edgeCluster": { # EdgeCluster contains information specific to Google Edge Clusters. # Optional. Specific information for a Google Edge cluster.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the Edge Cluster. For example: //edgecontainer.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster
+        },
+        "gkeCluster": { # GkeCluster contains information specific to GKE clusters. # Optional. Specific information for a GKE-on-GCP cluster.
+          "clusterMissing": True or False, # Output only. If cluster_missing is set then it denotes that the GKE cluster no longer exists in the GKE Control Plane.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the GKE cluster. For example: //container.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster Zonal clusters are also supported.
+        },
+        "googleManaged": True or False, # Output only. Whether the lifecycle of this membership is managed by a google cluster platform service.
+        "kubernetesMetadata": { # KubernetesMetadata provides informational metadata for Memberships representing Kubernetes clusters. # Output only. Useful Kubernetes-specific metadata.
+          "kubernetesApiServerVersion": "A String", # Output only. Kubernetes API server version string as reported by `/version`.
+          "memoryMb": 42, # Output only. The total memory capacity as reported by the sum of all Kubernetes nodes resources, defined in MB.
+          "nodeCount": 42, # Output only. Node count as reported by Kubernetes nodes resources.
+          "nodeProviderId": "A String", # Output only. Node providerID as reported by the first node in the list of nodes on the Kubernetes endpoint. On Kubernetes platforms that support zero-node clusters (like GKE-on-GCP), the node_count will be zero and the node_provider_id will be empty.
+          "updateTime": "A String", # Output only. The time at which these details were last updated. This update_time is different from the Membership-level update_time since EndpointDetails are updated internally for API consumers.
+          "vcpuCount": 42, # Output only. vCPU count as reported by Kubernetes nodes resources.
+        },
+        "kubernetesResource": { # KubernetesResource contains the YAML manifests and configuration for Membership Kubernetes resources in the cluster. After CreateMembership or UpdateMembership, these resources should be re-applied in the cluster. # Optional. The in-cluster Kubernetes Resources that should be applied for a correctly registered cluster, in the steady state. These resources: * Ensure that the cluster is exclusively registered to one and only one Hub Membership. * Propagate Workload Pool Information available in the Membership Authority field. * Ensure proper initial configuration of default Hub Features.
+          "connectResources": [ # Output only. The Kubernetes resources for installing the GKE Connect agent This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask.
+            { # ResourceManifest represents a single Kubernetes resource to be applied to the cluster.
+              "clusterScoped": True or False, # Whether the resource provided in the manifest is `cluster_scoped`. If unset, the manifest is assumed to be namespace scoped. This field is used for REST mapping when applying the resource in a cluster.
+              "manifest": "A String", # YAML manifest of the resource.
+            },
+          ],
+          "membershipCrManifest": "A String", # Input only. The YAML representation of the Membership CR. This field is ignored for GKE clusters where Hub can read the CR directly. Callers should provide the CR that is currently present in the cluster during CreateMembership or UpdateMembership, or leave this field empty if none exists. The CR manifest is used to validate the cluster has not been registered with another Membership.
+          "membershipResources": [ # Output only. Additional Kubernetes resources that need to be applied to the cluster after Membership creation, and after every update. This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask.
+            { # ResourceManifest represents a single Kubernetes resource to be applied to the cluster.
+              "clusterScoped": True or False, # Whether the resource provided in the manifest is `cluster_scoped`. If unset, the manifest is assumed to be namespace scoped. This field is used for REST mapping when applying the resource in a cluster.
+              "manifest": "A String", # YAML manifest of the resource.
+            },
+          ],
+          "resourceOptions": { # ResourceOptions represent options for Kubernetes resource generation. # Optional. Options for Kubernetes resource generation.
+            "connectVersion": "A String", # Optional. The Connect agent version to use for connect_resources. Defaults to the latest GKE Connect version. The version must be a currently supported version, obsolete versions will be rejected.
+            "k8sVersion": "A String", # Optional. Major version of the Kubernetes cluster. This is only used to determine which version to use for the CustomResourceDefinition resources, `apiextensions/v1beta1` or`apiextensions/v1`.
+            "v1beta1Crd": True or False, # Optional. Use `apiextensions/v1beta1` instead of `apiextensions/v1` for CustomResourceDefinition resources. This option should be set for clusters with Kubernetes apiserver versions <1.16.
+          },
+        },
+        "multiCloudCluster": { # MultiCloudCluster contains information specific to GKE Multi-Cloud clusters. # Optional. Specific information for a GKE Multi-Cloud cluster.
+          "clusterMissing": True or False, # Output only. If cluster_missing is set then it denotes that API(gkemulticloud.googleapis.com) resource for this GKE Multi-Cloud cluster no longer exists.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the GKE Multi-Cloud cluster. For example: //gkemulticloud.googleapis.com/projects/my-project/locations/us-west1-a/awsClusters/my-cluster //gkemulticloud.googleapis.com/projects/my-project/locations/us-west1-a/azureClusters/my-cluster //gkemulticloud.googleapis.com/projects/my-project/locations/us-west1-a/attachedClusters/my-cluster
+        },
+        "onPremCluster": { # OnPremCluster contains information specific to GKE On-Prem clusters. # Optional. Specific information for a GKE On-Prem cluster. An onprem user-cluster who has no resourceLink is not allowed to use this field, it should have a nil "type" instead.
+          "adminCluster": True or False, # Immutable. Whether the cluster is an admin cluster.
+          "clusterMissing": True or False, # Output only. If cluster_missing is set then it denotes that API(gkeonprem.googleapis.com) resource for this GKE On-Prem cluster no longer exists.
+          "clusterType": "A String", # Immutable. The on prem cluster's type.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the GKE On-Prem cluster. For example: //gkeonprem.googleapis.com/projects/my-project/locations/us-west1-a/vmwareClusters/my-cluster //gkeonprem.googleapis.com/projects/my-project/locations/us-west1-a/bareMetalClusters/my-cluster
+        },
+      },
+      "externalId": "A String", # Optional. An externally-generated and managed ID for this Membership. This ID may be modified after creation, but this is not recommended. The ID must match the regex: `a-zA-Z0-9*` If this Membership represents a Kubernetes cluster, this value should be set to the UID of the `kube-system` namespace object.
+      "labels": { # Optional. Labels for this membership.
+        "a_key": "A String",
+      },
+      "lastConnectionTime": "A String", # Output only. For clusters using Connect, the timestamp of the most recent connection established with Google Cloud. This time is updated every several minutes, not continuously. For clusters that do not use GKE Connect, or that have never connected successfully, this field will be unset.
+      "monitoringConfig": { # MonitoringConfig informs Fleet-based applications/services/UIs how the metrics for the underlying cluster is reported to cloud monitoring services. It can be set from empty to non-empty, but can't be mutated directly to prevent accidentally breaking the constinousty of metrics. # Optional. The monitoring config information for this membership.
+        "cluster": "A String", # Optional. Cluster name used to report metrics. For Anthos on VMWare/Baremetal/MultiCloud clusters, it would be in format {cluster_type}/{cluster_name}, e.g., "awsClusters/cluster_1".
+        "clusterHash": "A String", # Optional. For GKE and Multicloud clusters, this is the UUID of the cluster resource. For VMWare and Baremetal clusters, this is the kube-system UID.
+        "kubernetesMetricsPrefix": "A String", # Optional. Kubernetes system metrics, if available, are written to this prefix. This defaults to kubernetes.io for GKE, and kubernetes.io/anthos for Anthos eventually. Noted: Anthos MultiCloud will have kubernetes.io prefix today but will migration to be under kubernetes.io/anthos.
+        "location": "A String", # Optional. Location used to report Metrics
+        "projectId": "A String", # Optional. Project used to report Metrics
+      },
+      "name": "A String", # Output only. The full, unique name of this Membership resource in the format `projects/*/locations/*/memberships/{membership_id}`, set during creation. `membership_id` must be a valid RFC 1123 compliant DNS label: 1. At most 63 characters in length 2. It must consist of lower case alphanumeric characters or `-` 3. It must start and end with an alphanumeric character Which can be expressed as the regex: `[a-z0-9]([-a-z0-9]*[a-z0-9])?`, with a maximum length of 63 characters.
+      "state": { # MembershipState describes the state of a Membership resource. # Output only. State of the Membership resource.
+        "code": "A String", # Output only. The current state of the Membership resource.
+      },
+      "uniqueId": "A String", # Output only. Google-generated UUID for this resource. This is unique across all Membership resources. If a Membership resource is deleted and another resource with the same name is created, it gets a different unique_id.
+      "updateTime": "A String", # Output only. When the Membership was last updated.
+    },
+  ],
+  "nextPageToken": "A String", # A token to request the next page of resources from the `ListBoundMemberships` method. The value of an empty string means that there are no more resources to return.
+  "unreachable": [ # List of locations that could not be reached while fetching this list.
+    "A String",
+  ],
+}
+
+ +
+ listMemberships_next() + 
Retrieves the next page of results.
+
+        Args:
+          previous_request: The request for the previous page. (required)
+          previous_response: The response from the request for the previous page. (required)
+
+        Returns:
+          A request object that you can call 'execute()' on to request the next
+          page. Returns None if there are no more items in the collection.
+
+
+ +
+ listPermitted(parent, pageSize=None, pageToken=None, x__xgafv=None) + 
Lists permitted Scopes.
+
+Args:
+  parent: string, Required. The parent (project and location) where the Scope will be listed. Specified in the format `projects/*/locations/*`. (required)
+  pageSize: integer, Optional. When requesting a 'page' of resources, `page_size` specifies number of resources to return. If unspecified or set to 0, all resources will be returned.
+  pageToken: string, Optional. Token returned by previous call to `ListPermittedScopes` which specifies the position in the list from where to continue listing the resources.
+  x__xgafv: string, V1 error format.
+    Allowed values
+      1 - v1 error format
+      2 - v2 error format
+
+Returns:
+  An object of the form:
+
+    { # List of permitted Scopes.
+  "nextPageToken": "A String", # A token to request the next page of resources from the `ListPermittedScopes` method. The value of an empty string means that there are no more resources to return.
+  "scopes": [ # The list of permitted Scopes
+    { # Scope represents a Scope in a Fleet.
+      "createTime": "A String", # Output only. When the scope was created.
+      "deleteTime": "A String", # Output only. When the scope was deleted.
+      "labels": { # Optional. Labels for this Scope.
+        "a_key": "A String",
+      },
+      "name": "A String", # The resource name for the scope `projects/{project}/locations/{location}/scopes/{scope}`
+      "namespaceLabels": { # Optional. Scope-level cluster namespace labels. For the member clusters bound to the Scope, these labels are applied to each namespace under the Scope. Scope-level labels take precedence over Namespace-level labels (`namespace_labels` in the Fleet Namespace resource) if they share a key. Keys and values must be Kubernetes-conformant.
+        "a_key": "A String",
+      },
+      "state": { # ScopeLifecycleState describes the state of a Scope resource. # Output only. State of the scope resource.
+        "code": "A String", # Output only. The current state of the scope resource.
+      },
+      "uid": "A String", # Output only. Google-generated UUID for this resource. This is unique across all scope resources. If a scope resource is deleted and another resource with the same name is created, it gets a different uid.
+      "updateTime": "A String", # Output only. When the scope was last updated.
+    },
+  ],
+}
+
+ +
+ listPermitted_next() + 
Retrieves the next page of results.
+
+        Args:
+          previous_request: The request for the previous page. (required)
+          previous_response: The response from the request for the previous page. (required)
+
+        Returns:
+          A request object that you can call 'execute()' on to request the next
+          page. Returns None if there are no more items in the collection.
+
+
+
list_next() 
Retrieves the next page of results.
diff --git a/docs/dyn/gkehub_v1alpha.projects.locations.features.html b/docs/dyn/gkehub_v1alpha.projects.locations.features.html
index 142b67a914..ec252f9476 100644
--- a/docs/dyn/gkehub_v1alpha.projects.locations.features.html
+++ b/docs/dyn/gkehub_v1alpha.projects.locations.features.html
@@ -192,6 +192,31 @@ 
Method Details

           "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
             "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
           },
+          "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+            "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+              "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+              "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+            },
+            "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+              "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+              "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+              "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+            },
+            "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+              "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                "password": "A String", # Required. Input only. The password of the service account object/user.
+              },
+            },
+            "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+              "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+              "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+              "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+            },
+          },
           "name": "A String", # Identifier for auth config.
           "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
             "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -374,6 +399,31 @@ 
Method Details

             "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
               "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
             },
+            "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+              "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+              },
+              "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+              },
+              "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                  "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                  "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                  "password": "A String", # Required. Input only. The password of the service account object/user.
+                },
+              },
+              "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+              },
+            },
             "name": "A String", # Identifier for auth config.
             "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
               "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -680,6 +730,31 @@ 
Method Details

               "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                 "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
               },
+              "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                  "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                  "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                },
+                "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                  "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                  "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                  "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                },
+                "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                  "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                    "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                    "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                    "password": "A String", # Required. Input only. The password of the service account object/user.
+                  },
+                },
+                "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                  "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                  "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                  "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                },
+              },
               "name": "A String", # Identifier for auth config.
               "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                 "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -1193,6 +1268,31 @@ 
Method Details

           "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
             "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
           },
+          "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+            "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+              "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+              "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+            },
+            "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+              "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+              "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+              "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+            },
+            "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+              "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                "password": "A String", # Required. Input only. The password of the service account object/user.
+              },
+            },
+            "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+              "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+              "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+              "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+            },
+          },
           "name": "A String", # Identifier for auth config.
           "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
             "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -1375,6 +1475,31 @@ 
Method Details

             "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
               "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
             },
+            "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+              "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+              },
+              "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+              },
+              "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                  "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                  "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                  "password": "A String", # Required. Input only. The password of the service account object/user.
+                },
+              },
+              "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+              },
+            },
             "name": "A String", # Identifier for auth config.
             "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
               "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -1681,6 +1806,31 @@ 
Method Details

               "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                 "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
               },
+              "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                  "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                  "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                },
+                "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                  "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                  "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                  "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                },
+                "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                  "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                    "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                    "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                    "password": "A String", # Required. Input only. The password of the service account object/user.
+                  },
+                },
+                "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                  "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                  "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                  "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                },
+              },
               "name": "A String", # Identifier for auth config.
               "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                 "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -2182,6 +2332,31 @@ 
Method Details

               "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                 "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
               },
+              "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                  "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                  "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                },
+                "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                  "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                  "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                  "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                },
+                "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                  "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                    "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                    "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                    "password": "A String", # Required. Input only. The password of the service account object/user.
+                  },
+                },
+                "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                  "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                  "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                  "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                },
+              },
               "name": "A String", # Identifier for auth config.
               "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                 "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -2364,6 +2539,31 @@ 
Method Details

                 "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                   "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
                 },
+                "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                  "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                    "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                    "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                    "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                  },
+                  "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                    "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                    "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                    "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                  },
+                  "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                    "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                      "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                      "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                      "password": "A String", # Required. Input only. The password of the service account object/user.
+                    },
+                  },
+                  "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                    "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                    "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                    "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                    "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                  },
+                },
                 "name": "A String", # Identifier for auth config.
                 "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                   "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -2670,6 +2870,31 @@ 
Method Details

                   "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                     "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
                   },
+                  "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                    "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                      "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                      "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                      "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                    },
+                    "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                      "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                      "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                      "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                    },
+                    "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                      "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                        "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                        "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                        "password": "A String", # Required. Input only. The password of the service account object/user.
+                      },
+                    },
+                    "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                      "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                      "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                      "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                      "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                    },
+                  },
                   "name": "A String", # Identifier for auth config.
                   "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                     "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -3127,6 +3352,31 @@ 
Method Details

           "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
             "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
           },
+          "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+            "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+              "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+              "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+            },
+            "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+              "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+              "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+              "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+            },
+            "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+              "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                "password": "A String", # Required. Input only. The password of the service account object/user.
+              },
+            },
+            "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+              "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+              "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+              "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+            },
+          },
           "name": "A String", # Identifier for auth config.
           "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
             "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -3309,6 +3559,31 @@ 
Method Details

             "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
               "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
             },
+            "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+              "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+              },
+              "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+              },
+              "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                  "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                  "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                  "password": "A String", # Required. Input only. The password of the service account object/user.
+                },
+              },
+              "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+              },
+            },
             "name": "A String", # Identifier for auth config.
             "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
               "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -3615,6 +3890,31 @@ 
Method Details

               "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                 "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
               },
+              "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                  "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                  "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                },
+                "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                  "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                  "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                  "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                },
+                "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                  "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                    "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                    "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                    "password": "A String", # Required. Input only. The password of the service account object/user.
+                  },
+                },
+                "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                  "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                  "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                  "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                },
+              },
               "name": "A String", # Identifier for auth config.
               "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                 "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
diff --git a/docs/dyn/gkehub_v1beta.projects.locations.features.html b/docs/dyn/gkehub_v1beta.projects.locations.features.html
index 0c2f5bd322..b526b34420 100644
--- a/docs/dyn/gkehub_v1beta.projects.locations.features.html
+++ b/docs/dyn/gkehub_v1beta.projects.locations.features.html
@@ -192,6 +192,31 @@ 
Method Details

           "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
             "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
           },
+          "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+            "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+              "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+              "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+            },
+            "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+              "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+              "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+              "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+            },
+            "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+              "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                "password": "A String", # Required. Input only. The password of the service account object/user.
+              },
+            },
+            "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+              "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+              "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+              "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+            },
+          },
           "name": "A String", # Identifier for auth config.
           "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
             "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -373,6 +398,31 @@ 
Method Details

             "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
               "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
             },
+            "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+              "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+              },
+              "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+              },
+              "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                  "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                  "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                  "password": "A String", # Required. Input only. The password of the service account object/user.
+                },
+              },
+              "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+              },
+            },
             "name": "A String", # Identifier for auth config.
             "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
               "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -670,6 +720,31 @@ 
Method Details

               "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                 "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
               },
+              "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                  "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                  "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                },
+                "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                  "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                  "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                  "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                },
+                "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                  "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                    "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                    "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                    "password": "A String", # Required. Input only. The password of the service account object/user.
+                  },
+                },
+                "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                  "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                  "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                  "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                },
+              },
               "name": "A String", # Identifier for auth config.
               "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                 "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -1068,6 +1143,31 @@ 
Method Details

           "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
             "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
           },
+          "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+            "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+              "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+              "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+            },
+            "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+              "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+              "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+              "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+            },
+            "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+              "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                "password": "A String", # Required. Input only. The password of the service account object/user.
+              },
+            },
+            "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+              "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+              "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+              "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+            },
+          },
           "name": "A String", # Identifier for auth config.
           "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
             "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -1249,6 +1349,31 @@ 
Method Details

             "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
               "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
             },
+            "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+              "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+              },
+              "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+              },
+              "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                  "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                  "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                  "password": "A String", # Required. Input only. The password of the service account object/user.
+                },
+              },
+              "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+              },
+            },
             "name": "A String", # Identifier for auth config.
             "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
               "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -1546,6 +1671,31 @@ 
Method Details

               "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                 "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
               },
+              "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                  "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                  "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                },
+                "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                  "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                  "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                  "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                },
+                "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                  "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                    "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                    "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                    "password": "A String", # Required. Input only. The password of the service account object/user.
+                  },
+                },
+                "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                  "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                  "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                  "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                },
+              },
               "name": "A String", # Identifier for auth config.
               "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                 "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -1932,6 +2082,31 @@ 
Method Details

               "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                 "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
               },
+              "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                  "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                  "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                },
+                "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                  "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                  "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                  "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                },
+                "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                  "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                    "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                    "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                    "password": "A String", # Required. Input only. The password of the service account object/user.
+                  },
+                },
+                "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                  "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                  "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                  "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                },
+              },
               "name": "A String", # Identifier for auth config.
               "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                 "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -2113,6 +2288,31 @@ 
Method Details

                 "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                   "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
                 },
+                "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                  "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                    "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                    "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                    "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                  },
+                  "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                    "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                    "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                    "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                  },
+                  "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                    "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                      "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                      "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                      "password": "A String", # Required. Input only. The password of the service account object/user.
+                    },
+                  },
+                  "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                    "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                    "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                    "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                    "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                  },
+                },
                 "name": "A String", # Identifier for auth config.
                 "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                   "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -2410,6 +2610,31 @@ 
Method Details

                   "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                     "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
                   },
+                  "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                    "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                      "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                      "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                      "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                    },
+                    "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                      "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                      "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                      "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                    },
+                    "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                      "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                        "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                        "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                        "password": "A String", # Required. Input only. The password of the service account object/user.
+                      },
+                    },
+                    "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                      "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                      "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                      "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                      "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                    },
+                  },
                   "name": "A String", # Identifier for auth config.
                   "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                     "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -2752,6 +2977,31 @@ 
Method Details

           "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
             "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
           },
+          "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+            "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+              "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+              "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+            },
+            "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+              "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+              "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+              "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+            },
+            "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+              "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                "password": "A String", # Required. Input only. The password of the service account object/user.
+              },
+            },
+            "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+              "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+              "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+              "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+              "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+            },
+          },
           "name": "A String", # Identifier for auth config.
           "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
             "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -2933,6 +3183,31 @@ 
Method Details

             "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
               "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
             },
+            "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+              "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+              },
+              "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+              },
+              "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                  "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                  "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                  "password": "A String", # Required. Input only. The password of the service account object/user.
+                },
+              },
+              "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+              },
+            },
             "name": "A String", # Identifier for auth config.
             "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
               "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
@@ -3230,6 +3505,31 @@ 
Method Details

               "googleConfig": { # Configuration for the Google Plugin Auth flow. # GoogleConfig specific configuration.
                 "disable": True or False, # Disable automatic configuration of Google Plugin on supported platforms.
               },
+              "ldapConfig": { # Configuration for the LDAP Auth flow. # LDAP specific configuration.
+                "group": { # Contains the properties for locating and authenticating groups in the directory. # Optional. Contains the properties for locating and authenticating groups in the directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for group entries.
+                  "filter": "A String", # Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
+                  "idAttribute": "A String", # Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
+                },
+                "server": { # Server settings for the external LDAP server. # Required. Server settings for the external LDAP server.
+                  "certificateAuthorityData": "A String", # Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.
+                  "connectionType": "A String", # Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
+                  "host": "A String", # Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
+                },
+                "serviceAccount": { # Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. # Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
+                  "simpleBindCredentials": { # The structure holds the LDAP simple binding credential. # Credentials for basic auth.
+                    "dn": "A String", # Required. The distinguished name(DN) of the service account object/user.
+                    "encryptedPassword": "A String", # Output only. The encrypted password of the service account object/user.
+                    "password": "A String", # Required. Input only. The password of the service account object/user.
+                  },
+                },
+                "user": { # Defines where users exist in the LDAP directory. # Required. Defines where users exist in the LDAP directory.
+                  "baseDn": "A String", # Required. The location of the subtree in the LDAP directory to search for user entries.
+                  "filter": "A String", # Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
+                  "idAttribute": "A String", # Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
+                  "loginAttribute": "A String", # Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
+                },
+              },
               "name": "A String", # Identifier for auth config.
               "oidcConfig": { # Configuration for OIDC Auth flow. # OIDC specific configuration.
                 "certificateAuthorityData": "A String", # PEM-encoded CA for OIDC provider.
diff --git a/docs/dyn/gkehub_v1beta.projects.locations.scopes.html b/docs/dyn/gkehub_v1beta.projects.locations.scopes.html
index 059493c4d0..2ff169e55f 100644
--- a/docs/dyn/gkehub_v1beta.projects.locations.scopes.html
+++ b/docs/dyn/gkehub_v1beta.projects.locations.scopes.html
@@ -102,6 +102,18 @@ 
Instance Methods

 

   list(parent, pageSize=None, pageToken=None, x__xgafv=None)

 
Lists Scopes.

+

+  listMemberships(scopeName, filter=None, pageSize=None, pageToken=None, x__xgafv=None)

+
Lists Memberships bound to a Scope. The response includes relevant Memberships from all regions.

+

+  listMemberships_next()

+
Retrieves the next page of results.

+

+  listPermitted(parent, pageSize=None, pageToken=None, x__xgafv=None)

+
Lists permitted Scopes.

+

+  listPermitted_next()

+
Retrieves the next page of results.

 

   list_next()

 
Retrieves the next page of results.

@@ -330,6 +342,180 @@ 
Method Details

 }
+
+ listMemberships(scopeName, filter=None, pageSize=None, pageToken=None, x__xgafv=None) + 
Lists Memberships bound to a Scope. The response includes relevant Memberships from all regions.
+
+Args:
+  scopeName: string, Required. Name of the Scope, in the format `projects/*/locations/global/scopes/*`, to which the Memberships are bound. (required)
+  filter: string, Optional. Lists Memberships that match the filter expression, following the syntax outlined in https://google.aip.dev/160. Currently, filtering can be done only based on Memberships's `name`, `labels`, `create_time`, `update_time`, and `unique_id`.
+  pageSize: integer, Optional. When requesting a 'page' of resources, `page_size` specifies number of resources to return. If unspecified or set to 0, all resources will be returned. Pagination is currently not supported; therefore, setting this field does not have any impact for now.
+  pageToken: string, Optional. Token returned by previous call to `ListBoundMemberships` which specifies the position in the list from where to continue listing the resources.
+  x__xgafv: string, V1 error format.
+    Allowed values
+      1 - v1 error format
+      2 - v2 error format
+
+Returns:
+  An object of the form:
+
+    { # List of Memberships bound to a Scope.
+  "memberships": [ # The list of Memberships bound to the given Scope.
+    { # Membership contains information about a member cluster.
+      "authority": { # Authority encodes how Google will recognize identities from this Membership. See the workload identity documentation for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity # Optional. How to identify workloads from this Membership. See the documentation on Workload Identity for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
+        "identityProvider": "A String", # Output only. An identity provider that reflects the `issuer` in the workload identity pool.
+        "issuer": "A String", # Optional. A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://` and be a valid URL with length <2000 characters, it must use `location` rather than `zone` for GKE clusters. If set, then Google will allow valid OIDC tokens from this issuer to authenticate within the workload_identity_pool. OIDC discovery will be performed on this URI to validate tokens from the issuer. Clearing `issuer` disables Workload Identity. `issuer` cannot be directly modified; it must be cleared (and Workload Identity disabled) before using a new issuer (and re-enabling Workload Identity).
+        "oidcJwks": "A String", # Optional. OIDC verification keys for this Membership in JWKS format (RFC 7517). When this field is set, OIDC discovery will NOT be performed on `issuer`, and instead OIDC tokens will be validated using this field.
+        "workloadIdentityPool": "A String", # Output only. The name of the workload identity pool in which `issuer` will be recognized. There is a single Workload Identity Pool per Hub that is shared between all Memberships that belong to that Hub. For a Hub hosted in {PROJECT_ID}, the workload pool format is `{PROJECT_ID}.hub.id.goog`, although this is subject to change in newer versions of this API.
+      },
+      "createTime": "A String", # Output only. When the Membership was created.
+      "deleteTime": "A String", # Output only. When the Membership was deleted.
+      "description": "A String", # Output only. Description of this membership, limited to 63 characters. Must match the regex: `a-zA-Z0-9*` This field is present for legacy purposes.
+      "endpoint": { # MembershipEndpoint contains information needed to contact a Kubernetes API, endpoint and any additional Kubernetes metadata. # Optional. Endpoint information to reach this member.
+        "applianceCluster": { # ApplianceCluster contains information specific to GDC Edge Appliance Clusters. # Optional. Specific information for a GDC Edge Appliance cluster.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the Appliance Cluster. For example: //transferappliance.googleapis.com/projects/my-project/locations/us-west1-a/appliances/my-appliance
+        },
+        "edgeCluster": { # EdgeCluster contains information specific to Google Edge Clusters. # Optional. Specific information for a Google Edge cluster.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the Edge Cluster. For example: //edgecontainer.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster
+        },
+        "gkeCluster": { # GkeCluster contains information specific to GKE clusters. # Optional. Specific information for a GKE-on-GCP cluster.
+          "clusterMissing": True or False, # Output only. If cluster_missing is set then it denotes that the GKE cluster no longer exists in the GKE Control Plane.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the GKE cluster. For example: //container.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster Zonal clusters are also supported.
+        },
+        "googleManaged": True or False, # Output only. Whether the lifecycle of this membership is managed by a google cluster platform service.
+        "kubernetesMetadata": { # KubernetesMetadata provides informational metadata for Memberships representing Kubernetes clusters. # Output only. Useful Kubernetes-specific metadata.
+          "kubernetesApiServerVersion": "A String", # Output only. Kubernetes API server version string as reported by `/version`.
+          "memoryMb": 42, # Output only. The total memory capacity as reported by the sum of all Kubernetes nodes resources, defined in MB.
+          "nodeCount": 42, # Output only. Node count as reported by Kubernetes nodes resources.
+          "nodeProviderId": "A String", # Output only. Node providerID as reported by the first node in the list of nodes on the Kubernetes endpoint. On Kubernetes platforms that support zero-node clusters (like GKE-on-GCP), the node_count will be zero and the node_provider_id will be empty.
+          "updateTime": "A String", # Output only. The time at which these details were last updated. This update_time is different from the Membership-level update_time since EndpointDetails are updated internally for API consumers.
+          "vcpuCount": 42, # Output only. vCPU count as reported by Kubernetes nodes resources.
+        },
+        "kubernetesResource": { # KubernetesResource contains the YAML manifests and configuration for Membership Kubernetes resources in the cluster. After CreateMembership or UpdateMembership, these resources should be re-applied in the cluster. # Optional. The in-cluster Kubernetes Resources that should be applied for a correctly registered cluster, in the steady state. These resources: * Ensure that the cluster is exclusively registered to one and only one Hub Membership. * Propagate Workload Pool Information available in the Membership Authority field. * Ensure proper initial configuration of default Hub Features.
+          "connectResources": [ # Output only. The Kubernetes resources for installing the GKE Connect agent This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask.
+            { # ResourceManifest represents a single Kubernetes resource to be applied to the cluster.
+              "clusterScoped": True or False, # Whether the resource provided in the manifest is `cluster_scoped`. If unset, the manifest is assumed to be namespace scoped. This field is used for REST mapping when applying the resource in a cluster.
+              "manifest": "A String", # YAML manifest of the resource.
+            },
+          ],
+          "membershipCrManifest": "A String", # Input only. The YAML representation of the Membership CR. This field is ignored for GKE clusters where Hub can read the CR directly. Callers should provide the CR that is currently present in the cluster during CreateMembership or UpdateMembership, or leave this field empty if none exists. The CR manifest is used to validate the cluster has not been registered with another Membership.
+          "membershipResources": [ # Output only. Additional Kubernetes resources that need to be applied to the cluster after Membership creation, and after every update. This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask.
+            { # ResourceManifest represents a single Kubernetes resource to be applied to the cluster.
+              "clusterScoped": True or False, # Whether the resource provided in the manifest is `cluster_scoped`. If unset, the manifest is assumed to be namespace scoped. This field is used for REST mapping when applying the resource in a cluster.
+              "manifest": "A String", # YAML manifest of the resource.
+            },
+          ],
+          "resourceOptions": { # ResourceOptions represent options for Kubernetes resource generation. # Optional. Options for Kubernetes resource generation.
+            "connectVersion": "A String", # Optional. The Connect agent version to use for connect_resources. Defaults to the latest GKE Connect version. The version must be a currently supported version, obsolete versions will be rejected.
+            "k8sVersion": "A String", # Optional. Major version of the Kubernetes cluster. This is only used to determine which version to use for the CustomResourceDefinition resources, `apiextensions/v1beta1` or`apiextensions/v1`.
+            "v1beta1Crd": True or False, # Optional. Use `apiextensions/v1beta1` instead of `apiextensions/v1` for CustomResourceDefinition resources. This option should be set for clusters with Kubernetes apiserver versions <1.16.
+          },
+        },
+        "multiCloudCluster": { # MultiCloudCluster contains information specific to GKE Multi-Cloud clusters. # Optional. Specific information for a GKE Multi-Cloud cluster.
+          "clusterMissing": True or False, # Output only. If cluster_missing is set then it denotes that API(gkemulticloud.googleapis.com) resource for this GKE Multi-Cloud cluster no longer exists.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the GKE Multi-Cloud cluster. For example: //gkemulticloud.googleapis.com/projects/my-project/locations/us-west1-a/awsClusters/my-cluster //gkemulticloud.googleapis.com/projects/my-project/locations/us-west1-a/azureClusters/my-cluster //gkemulticloud.googleapis.com/projects/my-project/locations/us-west1-a/attachedClusters/my-cluster
+        },
+        "onPremCluster": { # OnPremCluster contains information specific to GKE On-Prem clusters. # Optional. Specific information for a GKE On-Prem cluster. An onprem user-cluster who has no resourceLink is not allowed to use this field, it should have a nil "type" instead.
+          "adminCluster": True or False, # Immutable. Whether the cluster is an admin cluster.
+          "clusterMissing": True or False, # Output only. If cluster_missing is set then it denotes that API(gkeonprem.googleapis.com) resource for this GKE On-Prem cluster no longer exists.
+          "clusterType": "A String", # Immutable. The on prem cluster's type.
+          "resourceLink": "A String", # Immutable. Self-link of the Google Cloud resource for the GKE On-Prem cluster. For example: //gkeonprem.googleapis.com/projects/my-project/locations/us-west1-a/vmwareClusters/my-cluster //gkeonprem.googleapis.com/projects/my-project/locations/us-west1-a/bareMetalClusters/my-cluster
+        },
+      },
+      "externalId": "A String", # Optional. An externally-generated and managed ID for this Membership. This ID may be modified after creation, but this is not recommended. The ID must match the regex: `a-zA-Z0-9*` If this Membership represents a Kubernetes cluster, this value should be set to the UID of the `kube-system` namespace object.
+      "labels": { # Optional. Labels for this membership.
+        "a_key": "A String",
+      },
+      "lastConnectionTime": "A String", # Output only. For clusters using Connect, the timestamp of the most recent connection established with Google Cloud. This time is updated every several minutes, not continuously. For clusters that do not use GKE Connect, or that have never connected successfully, this field will be unset.
+      "monitoringConfig": { # MonitoringConfig informs Fleet-based applications/services/UIs how the metrics for the underlying cluster is reported to cloud monitoring services. It can be set from empty to non-empty, but can't be mutated directly to prevent accidentally breaking the constinousty of metrics. # Optional. The monitoring config information for this membership.
+        "cluster": "A String", # Optional. Cluster name used to report metrics. For Anthos on VMWare/Baremetal/MultiCloud clusters, it would be in format {cluster_type}/{cluster_name}, e.g., "awsClusters/cluster_1".
+        "clusterHash": "A String", # Optional. For GKE and Multicloud clusters, this is the UUID of the cluster resource. For VMWare and Baremetal clusters, this is the kube-system UID.
+        "kubernetesMetricsPrefix": "A String", # Optional. Kubernetes system metrics, if available, are written to this prefix. This defaults to kubernetes.io for GKE, and kubernetes.io/anthos for Anthos eventually. Noted: Anthos MultiCloud will have kubernetes.io prefix today but will migration to be under kubernetes.io/anthos.
+        "location": "A String", # Optional. Location used to report Metrics
+        "projectId": "A String", # Optional. Project used to report Metrics
+      },
+      "name": "A String", # Output only. The full, unique name of this Membership resource in the format `projects/*/locations/*/memberships/{membership_id}`, set during creation. `membership_id` must be a valid RFC 1123 compliant DNS label: 1. At most 63 characters in length 2. It must consist of lower case alphanumeric characters or `-` 3. It must start and end with an alphanumeric character Which can be expressed as the regex: `[a-z0-9]([-a-z0-9]*[a-z0-9])?`, with a maximum length of 63 characters.
+      "state": { # MembershipState describes the state of a Membership resource. # Output only. State of the Membership resource.
+        "code": "A String", # Output only. The current state of the Membership resource.
+      },
+      "uniqueId": "A String", # Output only. Google-generated UUID for this resource. This is unique across all Membership resources. If a Membership resource is deleted and another resource with the same name is created, it gets a different unique_id.
+      "updateTime": "A String", # Output only. When the Membership was last updated.
+    },
+  ],
+  "nextPageToken": "A String", # A token to request the next page of resources from the `ListBoundMemberships` method. The value of an empty string means that there are no more resources to return.
+  "unreachable": [ # List of locations that could not be reached while fetching this list.
+    "A String",
+  ],
+}
+
+ +
+ listMemberships_next() + 
Retrieves the next page of results.
+
+        Args:
+          previous_request: The request for the previous page. (required)
+          previous_response: The response from the request for the previous page. (required)
+
+        Returns:
+          A request object that you can call 'execute()' on to request the next
+          page. Returns None if there are no more items in the collection.
+
+
+ +
+ listPermitted(parent, pageSize=None, pageToken=None, x__xgafv=None) + 
Lists permitted Scopes.
+
+Args:
+  parent: string, Required. The parent (project and location) where the Scope will be listed. Specified in the format `projects/*/locations/*`. (required)
+  pageSize: integer, Optional. When requesting a 'page' of resources, `page_size` specifies number of resources to return. If unspecified or set to 0, all resources will be returned.
+  pageToken: string, Optional. Token returned by previous call to `ListPermittedScopes` which specifies the position in the list from where to continue listing the resources.
+  x__xgafv: string, V1 error format.
+    Allowed values
+      1 - v1 error format
+      2 - v2 error format
+
+Returns:
+  An object of the form:
+
+    { # List of permitted Scopes.
+  "nextPageToken": "A String", # A token to request the next page of resources from the `ListPermittedScopes` method. The value of an empty string means that there are no more resources to return.
+  "scopes": [ # The list of permitted Scopes
+    { # Scope represents a Scope in a Fleet.
+      "createTime": "A String", # Output only. When the scope was created.
+      "deleteTime": "A String", # Output only. When the scope was deleted.
+      "labels": { # Optional. Labels for this Scope.
+        "a_key": "A String",
+      },
+      "name": "A String", # The resource name for the scope `projects/{project}/locations/{location}/scopes/{scope}`
+      "namespaceLabels": { # Optional. Scope-level cluster namespace labels. For the member clusters bound to the Scope, these labels are applied to each namespace under the Scope. Scope-level labels take precedence over Namespace-level labels (`namespace_labels` in the Fleet Namespace resource) if they share a key. Keys and values must be Kubernetes-conformant.
+        "a_key": "A String",
+      },
+      "state": { # ScopeLifecycleState describes the state of a Scope resource. # Output only. State of the scope resource.
+        "code": "A String", # Output only. The current state of the scope resource.
+      },
+      "uid": "A String", # Output only. Google-generated UUID for this resource. This is unique across all scope resources. If a scope resource is deleted and another resource with the same name is created, it gets a different uid.
+      "updateTime": "A String", # Output only. When the scope was last updated.
+    },
+  ],
+}
+
+ +
+ listPermitted_next() + 
Retrieves the next page of results.
+
+        Args:
+          previous_request: The request for the previous page. (required)
+          previous_response: The response from the request for the previous page. (required)
+
+        Returns:
+          A request object that you can call 'execute()' on to request the next
+          page. Returns None if there are no more items in the collection.
+
+
+
list_next() 
Retrieves the next page of results.
diff --git a/googleapiclient/discovery_cache/documents/gkehub.v1.json b/googleapiclient/discovery_cache/documents/gkehub.v1.json
index ee855fce57..ae4c744355 100644
--- a/googleapiclient/discovery_cache/documents/gkehub.v1.json
+++ b/googleapiclient/discovery_cache/documents/gkehub.v1.json
@@ -1421,6 +1421,83 @@
 "https://www.googleapis.com/auth/cloud-platform"
 ]
 },
+"listMemberships": {
+"description": "Lists Memberships bound to a Scope. The response includes relevant Memberships from all regions.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/scopes/{scopesId}:listMemberships",
+"httpMethod": "GET",
+"id": "gkehub.projects.locations.scopes.listMemberships",
+"parameterOrder": [
+"scopeName"
+],
+"parameters": {
+"filter": {
+"description": "Optional. Lists Memberships that match the filter expression, following the syntax outlined in https://google.aip.dev/160. Currently, filtering can be done only based on Memberships's `name`, `labels`, `create_time`, `update_time`, and `unique_id`.",
+"location": "query",
+"type": "string"
+},
+"pageSize": {
+"description": "Optional. When requesting a 'page' of resources, `page_size` specifies number of resources to return. If unspecified or set to 0, all resources will be returned. Pagination is currently not supported; therefore, setting this field does not have any impact for now.",
+"format": "int32",
+"location": "query",
+"type": "integer"
+},
+"pageToken": {
+"description": "Optional. Token returned by previous call to `ListBoundMemberships` which specifies the position in the list from where to continue listing the resources.",
+"location": "query",
+"type": "string"
+},
+"scopeName": {
+"description": "Required. Name of the Scope, in the format `projects/*/locations/global/scopes/*`, to which the Memberships are bound.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/scopes/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+scopeName}:listMemberships",
+"response": {
+"$ref": "ListBoundMembershipsResponse"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"listPermitted": {
+"description": "Lists permitted Scopes.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/scopes:listPermitted",
+"httpMethod": "GET",
+"id": "gkehub.projects.locations.scopes.listPermitted",
+"parameterOrder": [
+"parent"
+],
+"parameters": {
+"pageSize": {
+"description": "Optional. When requesting a 'page' of resources, `page_size` specifies number of resources to return. If unspecified or set to 0, all resources will be returned.",
+"format": "int32",
+"location": "query",
+"type": "integer"
+},
+"pageToken": {
+"description": "Optional. Token returned by previous call to `ListPermittedScopes` which specifies the position in the list from where to continue listing the resources.",
+"location": "query",
+"type": "string"
+},
+"parent": {
+"description": "Required. The parent (project and location) where the Scope will be listed. Specified in the format `projects/*/locations/*`.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+parent}/scopes:listPermitted",
+"response": {
+"$ref": "ListPermittedScopesResponse"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
 "patch": {
 "description": "Updates a scopes.",
 "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/scopes/{scopesId}",
@@ -1834,7 +1911,7 @@
 }
 }
 },
-"revision": "20240307",
+"revision": "20240318",
 "rootUrl": "https://gkehub.googleapis.com/",
 "schemas": {
 "AppDevExperienceFeatureSpec": {
@@ -3722,6 +3799,10 @@
 "$ref": "IdentityServiceGoogleConfig",
 "description": "GoogleConfig specific configuration."
 },
+"ldapConfig": {
+"$ref": "IdentityServiceLdapConfig",
+"description": "LDAP specific configuration."
+},
 "name": {
 "description": "Identifier for auth config.",
 "type": "string"
@@ -3789,6 +3870,48 @@
 },
 "type": "object"
 },
+"IdentityServiceGroupConfig": {
+"description": "Contains the properties for locating and authenticating groups in the directory.",
+"id": "IdentityServiceGroupConfig",
+"properties": {
+"baseDn": {
+"description": "Required. The location of the subtree in the LDAP directory to search for group entries.",
+"type": "string"
+},
+"filter": {
+"description": "Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to \"(objectClass=Group)\".",
+"type": "string"
+},
+"idAttribute": {
+"description": "Optional. The identifying name of each group a user belongs to. For example, if this is set to \"distinguishedName\" then RBACs and other group expectations should be written as full DNs. This defaults to \"distinguishedName\".",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceLdapConfig": {
+"description": "Configuration for the LDAP Auth flow.",
+"id": "IdentityServiceLdapConfig",
+"properties": {
+"group": {
+"$ref": "IdentityServiceGroupConfig",
+"description": "Optional. Contains the properties for locating and authenticating groups in the directory."
+},
+"server": {
+"$ref": "IdentityServiceServerConfig",
+"description": "Required. Server settings for the external LDAP server."
+},
+"serviceAccount": {
+"$ref": "IdentityServiceServiceAccountConfig",
+"description": "Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate."
+},
+"user": {
+"$ref": "IdentityServiceUserConfig",
+"description": "Required. Defines where users exist in the LDAP directory."
+}
+},
+"type": "object"
+},
 "IdentityServiceMembershipSpec": {
 "description": "**Anthos Identity Service**: Configuration for a single Membership.",
 "id": "IdentityServiceMembershipSpec",
@@ -3946,6 +4069,81 @@
 },
 "type": "object"
 },
+"IdentityServiceServerConfig": {
+"description": "Server settings for the external LDAP server.",
+"id": "IdentityServiceServerConfig",
+"properties": {
+"certificateAuthorityData": {
+"description": "Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the \"ldaps\" and \"startTLS\" connections.",
+"format": "byte",
+"type": "string"
+},
+"connectionType": {
+"description": "Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.",
+"type": "string"
+},
+"host": {
+"description": "Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, \"ldap.server.example\" or \"10.10.10.10:389\".",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceServiceAccountConfig": {
+"description": "Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.",
+"id": "IdentityServiceServiceAccountConfig",
+"properties": {
+"simpleBindCredentials": {
+"$ref": "IdentityServiceSimpleBindCredentials",
+"description": "Credentials for basic auth."
+}
+},
+"type": "object"
+},
+"IdentityServiceSimpleBindCredentials": {
+"description": "The structure holds the LDAP simple binding credential.",
+"id": "IdentityServiceSimpleBindCredentials",
+"properties": {
+"dn": {
+"description": "Required. The distinguished name(DN) of the service account object/user.",
+"type": "string"
+},
+"encryptedPassword": {
+"description": "Output only. The encrypted password of the service account object/user.",
+"format": "byte",
+"readOnly": true,
+"type": "string"
+},
+"password": {
+"description": "Required. Input only. The password of the service account object/user.",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceUserConfig": {
+"description": "Defines where users exist in the LDAP directory.",
+"id": "IdentityServiceUserConfig",
+"properties": {
+"baseDn": {
+"description": "Required. The location of the subtree in the LDAP directory to search for user entries.",
+"type": "string"
+},
+"filter": {
+"description": "Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to \"(objectClass=User)\".",
+"type": "string"
+},
+"idAttribute": {
+"description": "Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to \"sAMAccountName\" and identifierAttribute to \"userPrincipalName\" would allow a user to login as \"bsmith\", but actual RBAC policies for the user would be written as \"bsmith@example.com\". Using \"userPrincipalName\" is recommended since this will be unique for each user. This defaults to \"userPrincipalName\".",
+"type": "string"
+},
+"loginAttribute": {
+"description": "Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. \"(=)\" and is combined with the optional filter field. This defaults to \"userPrincipalName\".",
+"type": "string"
+}
+},
+"type": "object"
+},
 "KubernetesMetadata": {
 "description": "KubernetesMetadata provides informational metadata for Memberships representing Kubernetes clusters.",
 "id": "KubernetesMetadata",
@@ -4018,6 +4216,31 @@
 },
 "type": "object"
 },
+"ListBoundMembershipsResponse": {
+"description": "List of Memberships bound to a Scope.",
+"id": "ListBoundMembershipsResponse",
+"properties": {
+"memberships": {
+"description": "The list of Memberships bound to the given Scope.",
+"items": {
+"$ref": "Membership"
+},
+"type": "array"
+},
+"nextPageToken": {
+"description": "A token to request the next page of resources from the `ListBoundMemberships` method. The value of an empty string means that there are no more resources to return.",
+"type": "string"
+},
+"unreachable": {
+"description": "List of locations that could not be reached while fetching this list.",
+"items": {
+"type": "string"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
 "ListFeaturesResponse": {
 "description": "Response message for the `GkeHub.ListFeatures` method.",
 "id": "ListFeaturesResponse",
@@ -4133,6 +4356,24 @@
 },
 "type": "object"
 },
+"ListPermittedScopesResponse": {
+"description": "List of permitted Scopes.",
+"id": "ListPermittedScopesResponse",
+"properties": {
+"nextPageToken": {
+"description": "A token to request the next page of resources from the `ListPermittedScopes` method. The value of an empty string means that there are no more resources to return.",
+"type": "string"
+},
+"scopes": {
+"description": "The list of permitted Scopes",
+"items": {
+"$ref": "Scope"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
 "ListScopeNamespacesResponse": {
 "description": "List of fleet namespaces.",
 "id": "ListScopeNamespacesResponse",
diff --git a/googleapiclient/discovery_cache/documents/gkehub.v1alpha.json b/googleapiclient/discovery_cache/documents/gkehub.v1alpha.json
index 8e89731451..f25fb1c49a 100644
--- a/googleapiclient/discovery_cache/documents/gkehub.v1alpha.json
+++ b/googleapiclient/discovery_cache/documents/gkehub.v1alpha.json
@@ -2175,7 +2175,7 @@
 }
 }
 },
-"revision": "20240307",
+"revision": "20240318",
 "rootUrl": "https://gkehub.googleapis.com/",
 "schemas": {
 "AnthosObservabilityFeatureSpec": {
@@ -4313,6 +4313,10 @@
 "$ref": "IdentityServiceGoogleConfig",
 "description": "GoogleConfig specific configuration."
 },
+"ldapConfig": {
+"$ref": "IdentityServiceLdapConfig",
+"description": "LDAP specific configuration."
+},
 "name": {
 "description": "Identifier for auth config.",
 "type": "string"
@@ -4380,6 +4384,48 @@
 },
 "type": "object"
 },
+"IdentityServiceGroupConfig": {
+"description": "Contains the properties for locating and authenticating groups in the directory.",
+"id": "IdentityServiceGroupConfig",
+"properties": {
+"baseDn": {
+"description": "Required. The location of the subtree in the LDAP directory to search for group entries.",
+"type": "string"
+},
+"filter": {
+"description": "Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to \"(objectClass=Group)\".",
+"type": "string"
+},
+"idAttribute": {
+"description": "Optional. The identifying name of each group a user belongs to. For example, if this is set to \"distinguishedName\" then RBACs and other group expectations should be written as full DNs. This defaults to \"distinguishedName\".",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceLdapConfig": {
+"description": "Configuration for the LDAP Auth flow.",
+"id": "IdentityServiceLdapConfig",
+"properties": {
+"group": {
+"$ref": "IdentityServiceGroupConfig",
+"description": "Optional. Contains the properties for locating and authenticating groups in the directory."
+},
+"server": {
+"$ref": "IdentityServiceServerConfig",
+"description": "Required. Server settings for the external LDAP server."
+},
+"serviceAccount": {
+"$ref": "IdentityServiceServiceAccountConfig",
+"description": "Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate."
+},
+"user": {
+"$ref": "IdentityServiceUserConfig",
+"description": "Required. Defines where users exist in the LDAP directory."
+}
+},
+"type": "object"
+},
 "IdentityServiceMembershipSpec": {
 "description": "**Anthos Identity Service**: Configuration for a single Membership.",
 "id": "IdentityServiceMembershipSpec",
@@ -4537,6 +4583,81 @@
 },
 "type": "object"
 },
+"IdentityServiceServerConfig": {
+"description": "Server settings for the external LDAP server.",
+"id": "IdentityServiceServerConfig",
+"properties": {
+"certificateAuthorityData": {
+"description": "Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the \"ldaps\" and \"startTLS\" connections.",
+"format": "byte",
+"type": "string"
+},
+"connectionType": {
+"description": "Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.",
+"type": "string"
+},
+"host": {
+"description": "Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, \"ldap.server.example\" or \"10.10.10.10:389\".",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceServiceAccountConfig": {
+"description": "Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.",
+"id": "IdentityServiceServiceAccountConfig",
+"properties": {
+"simpleBindCredentials": {
+"$ref": "IdentityServiceSimpleBindCredentials",
+"description": "Credentials for basic auth."
+}
+},
+"type": "object"
+},
+"IdentityServiceSimpleBindCredentials": {
+"description": "The structure holds the LDAP simple binding credential.",
+"id": "IdentityServiceSimpleBindCredentials",
+"properties": {
+"dn": {
+"description": "Required. The distinguished name(DN) of the service account object/user.",
+"type": "string"
+},
+"encryptedPassword": {
+"description": "Output only. The encrypted password of the service account object/user.",
+"format": "byte",
+"readOnly": true,
+"type": "string"
+},
+"password": {
+"description": "Required. Input only. The password of the service account object/user.",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceUserConfig": {
+"description": "Defines where users exist in the LDAP directory.",
+"id": "IdentityServiceUserConfig",
+"properties": {
+"baseDn": {
+"description": "Required. The location of the subtree in the LDAP directory to search for user entries.",
+"type": "string"
+},
+"filter": {
+"description": "Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to \"(objectClass=User)\".",
+"type": "string"
+},
+"idAttribute": {
+"description": "Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to \"sAMAccountName\" and identifierAttribute to \"userPrincipalName\" would allow a user to login as \"bsmith\", but actual RBAC policies for the user would be written as \"bsmith@example.com\". Using \"userPrincipalName\" is recommended since this will be unique for each user. This defaults to \"userPrincipalName\".",
+"type": "string"
+},
+"loginAttribute": {
+"description": "Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. \"(=)\" and is combined with the optional filter field. This defaults to \"userPrincipalName\".",
+"type": "string"
+}
+},
+"type": "object"
+},
 "KubernetesMetadata": {
 "description": "KubernetesMetadata provides informational metadata for Memberships representing Kubernetes clusters.",
 "id": "KubernetesMetadata",
diff --git a/googleapiclient/discovery_cache/documents/gkehub.v1beta.json b/googleapiclient/discovery_cache/documents/gkehub.v1beta.json
index 9b519d1d20..e45d61b7be 100644
--- a/googleapiclient/discovery_cache/documents/gkehub.v1beta.json
+++ b/googleapiclient/discovery_cache/documents/gkehub.v1beta.json
@@ -1611,6 +1611,83 @@
 "https://www.googleapis.com/auth/cloud-platform"
 ]
 },
+"listMemberships": {
+"description": "Lists Memberships bound to a Scope. The response includes relevant Memberships from all regions.",
+"flatPath": "v1beta/projects/{projectsId}/locations/{locationsId}/scopes/{scopesId}:listMemberships",
+"httpMethod": "GET",
+"id": "gkehub.projects.locations.scopes.listMemberships",
+"parameterOrder": [
+"scopeName"
+],
+"parameters": {
+"filter": {
+"description": "Optional. Lists Memberships that match the filter expression, following the syntax outlined in https://google.aip.dev/160. Currently, filtering can be done only based on Memberships's `name`, `labels`, `create_time`, `update_time`, and `unique_id`.",
+"location": "query",
+"type": "string"
+},
+"pageSize": {
+"description": "Optional. When requesting a 'page' of resources, `page_size` specifies number of resources to return. If unspecified or set to 0, all resources will be returned. Pagination is currently not supported; therefore, setting this field does not have any impact for now.",
+"format": "int32",
+"location": "query",
+"type": "integer"
+},
+"pageToken": {
+"description": "Optional. Token returned by previous call to `ListBoundMemberships` which specifies the position in the list from where to continue listing the resources.",
+"location": "query",
+"type": "string"
+},
+"scopeName": {
+"description": "Required. Name of the Scope, in the format `projects/*/locations/global/scopes/*`, to which the Memberships are bound.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/scopes/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1beta/{+scopeName}:listMemberships",
+"response": {
+"$ref": "ListBoundMembershipsResponse"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"listPermitted": {
+"description": "Lists permitted Scopes.",
+"flatPath": "v1beta/projects/{projectsId}/locations/{locationsId}/scopes:listPermitted",
+"httpMethod": "GET",
+"id": "gkehub.projects.locations.scopes.listPermitted",
+"parameterOrder": [
+"parent"
+],
+"parameters": {
+"pageSize": {
+"description": "Optional. When requesting a 'page' of resources, `page_size` specifies number of resources to return. If unspecified or set to 0, all resources will be returned.",
+"format": "int32",
+"location": "query",
+"type": "integer"
+},
+"pageToken": {
+"description": "Optional. Token returned by previous call to `ListPermittedScopes` which specifies the position in the list from where to continue listing the resources.",
+"location": "query",
+"type": "string"
+},
+"parent": {
+"description": "Required. The parent (project and location) where the Scope will be listed. Specified in the format `projects/*/locations/*`.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1beta/{+parent}/scopes:listPermitted",
+"response": {
+"$ref": "ListPermittedScopesResponse"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
 "patch": {
 "description": "Updates a scopes.",
 "flatPath": "v1beta/projects/{projectsId}/locations/{locationsId}/scopes/{scopesId}",
@@ -2024,7 +2101,7 @@
 }
 }
 },
-"revision": "20240307",
+"revision": "20240318",
 "rootUrl": "https://gkehub.googleapis.com/",
 "schemas": {
 "AnthosObservabilityFeatureSpec": {
@@ -4017,6 +4094,10 @@
 "$ref": "IdentityServiceGoogleConfig",
 "description": "GoogleConfig specific configuration."
 },
+"ldapConfig": {
+"$ref": "IdentityServiceLdapConfig",
+"description": "LDAP specific configuration."
+},
 "name": {
 "description": "Identifier for auth config.",
 "type": "string"
@@ -4084,6 +4165,48 @@
 },
 "type": "object"
 },
+"IdentityServiceGroupConfig": {
+"description": "Contains the properties for locating and authenticating groups in the directory.",
+"id": "IdentityServiceGroupConfig",
+"properties": {
+"baseDn": {
+"description": "Required. The location of the subtree in the LDAP directory to search for group entries.",
+"type": "string"
+},
+"filter": {
+"description": "Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to \"(objectClass=Group)\".",
+"type": "string"
+},
+"idAttribute": {
+"description": "Optional. The identifying name of each group a user belongs to. For example, if this is set to \"distinguishedName\" then RBACs and other group expectations should be written as full DNs. This defaults to \"distinguishedName\".",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceLdapConfig": {
+"description": "Configuration for the LDAP Auth flow.",
+"id": "IdentityServiceLdapConfig",
+"properties": {
+"group": {
+"$ref": "IdentityServiceGroupConfig",
+"description": "Optional. Contains the properties for locating and authenticating groups in the directory."
+},
+"server": {
+"$ref": "IdentityServiceServerConfig",
+"description": "Required. Server settings for the external LDAP server."
+},
+"serviceAccount": {
+"$ref": "IdentityServiceServiceAccountConfig",
+"description": "Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate."
+},
+"user": {
+"$ref": "IdentityServiceUserConfig",
+"description": "Required. Defines where users exist in the LDAP directory."
+}
+},
+"type": "object"
+},
 "IdentityServiceMembershipSpec": {
 "description": "**Anthos Identity Service**: Configuration for a single Membership.",
 "id": "IdentityServiceMembershipSpec",
@@ -4241,6 +4364,81 @@
 },
 "type": "object"
 },
+"IdentityServiceServerConfig": {
+"description": "Server settings for the external LDAP server.",
+"id": "IdentityServiceServerConfig",
+"properties": {
+"certificateAuthorityData": {
+"description": "Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the \"ldaps\" and \"startTLS\" connections.",
+"format": "byte",
+"type": "string"
+},
+"connectionType": {
+"description": "Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.",
+"type": "string"
+},
+"host": {
+"description": "Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, \"ldap.server.example\" or \"10.10.10.10:389\".",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceServiceAccountConfig": {
+"description": "Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.",
+"id": "IdentityServiceServiceAccountConfig",
+"properties": {
+"simpleBindCredentials": {
+"$ref": "IdentityServiceSimpleBindCredentials",
+"description": "Credentials for basic auth."
+}
+},
+"type": "object"
+},
+"IdentityServiceSimpleBindCredentials": {
+"description": "The structure holds the LDAP simple binding credential.",
+"id": "IdentityServiceSimpleBindCredentials",
+"properties": {
+"dn": {
+"description": "Required. The distinguished name(DN) of the service account object/user.",
+"type": "string"
+},
+"encryptedPassword": {
+"description": "Output only. The encrypted password of the service account object/user.",
+"format": "byte",
+"readOnly": true,
+"type": "string"
+},
+"password": {
+"description": "Required. Input only. The password of the service account object/user.",
+"type": "string"
+}
+},
+"type": "object"
+},
+"IdentityServiceUserConfig": {
+"description": "Defines where users exist in the LDAP directory.",
+"id": "IdentityServiceUserConfig",
+"properties": {
+"baseDn": {
+"description": "Required. The location of the subtree in the LDAP directory to search for user entries.",
+"type": "string"
+},
+"filter": {
+"description": "Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to \"(objectClass=User)\".",
+"type": "string"
+},
+"idAttribute": {
+"description": "Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to \"sAMAccountName\" and identifierAttribute to \"userPrincipalName\" would allow a user to login as \"bsmith\", but actual RBAC policies for the user would be written as \"bsmith@example.com\". Using \"userPrincipalName\" is recommended since this will be unique for each user. This defaults to \"userPrincipalName\".",
+"type": "string"
+},
+"loginAttribute": {
+"description": "Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. \"(=)\" and is combined with the optional filter field. This defaults to \"userPrincipalName\".",
+"type": "string"
+}
+},
+"type": "object"
+},
 "KubernetesMetadata": {
 "description": "KubernetesMetadata provides informational metadata for Memberships representing Kubernetes clusters.",
 "id": "KubernetesMetadata",
@@ -4313,6 +4511,31 @@
 },
 "type": "object"
 },
+"ListBoundMembershipsResponse": {
+"description": "List of Memberships bound to a Scope.",
+"id": "ListBoundMembershipsResponse",
+"properties": {
+"memberships": {
+"description": "The list of Memberships bound to the given Scope.",
+"items": {
+"$ref": "Membership"
+},
+"type": "array"
+},
+"nextPageToken": {
+"description": "A token to request the next page of resources from the `ListBoundMemberships` method. The value of an empty string means that there are no more resources to return.",
+"type": "string"
+},
+"unreachable": {
+"description": "List of locations that could not be reached while fetching this list.",
+"items": {
+"type": "string"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
 "ListFeaturesResponse": {
 "description": "Response message for the `GkeHub.ListFeatures` method.",
 "id": "ListFeaturesResponse",
@@ -4446,6 +4669,24 @@
 },
 "type": "object"
 },
+"ListPermittedScopesResponse": {
+"description": "List of permitted Scopes.",
+"id": "ListPermittedScopesResponse",
+"properties": {
+"nextPageToken": {
+"description": "A token to request the next page of resources from the `ListPermittedScopes` method. The value of an empty string means that there are no more resources to return.",
+"type": "string"
+},
+"scopes": {
+"description": "The list of permitted Scopes",
+"items": {
+"$ref": "Scope"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
 "ListScopeNamespacesResponse": {
 "description": "List of fleet namespaces.",
 "id": "ListScopeNamespacesResponse",
diff --git a/googleapiclient/discovery_cache/documents/gkehub.v1beta1.json b/googleapiclient/discovery_cache/documents/gkehub.v1beta1.json
index bcfc4b987d..2fd4e51b25 100644
--- a/googleapiclient/discovery_cache/documents/gkehub.v1beta1.json
+++ b/googleapiclient/discovery_cache/documents/gkehub.v1beta1.json
@@ -712,7 +712,7 @@
 }
 }
 },
-"revision": "20240307",
+"revision": "20240318",
 "rootUrl": "https://gkehub.googleapis.com/",
 "schemas": {
 "ApplianceCluster": {
diff --git a/googleapiclient/discovery_cache/documents/gkehub.v2alpha.json b/googleapiclient/discovery_cache/documents/gkehub.v2alpha.json
index e2c687750c..87ea1d6490 100644
--- a/googleapiclient/discovery_cache/documents/gkehub.v2alpha.json
+++ b/googleapiclient/discovery_cache/documents/gkehub.v2alpha.json
@@ -280,7 +280,7 @@
 }
 }
 },
-"revision": "20240307",
+"revision": "20240318",
 "rootUrl": "https://gkehub.googleapis.com/",
 "schemas": {
 "CancelOperationRequest": {