Vault LDAP Authentication Configuration
Source:R/vault_client_auth_ldap.R
vault_client_auth_ldap.Rd
Vault LDAP Authentication Configuration
Vault LDAP Authentication Configuration
Details
Interact with vault's LDAP authentication backend. This backend can be used to configure users based on their presence or group membership in an LDAP server. For more information, please see the vault documentation https://developer.hashicorp.com/vault/docs/auth/ldap
Super class
vaultr::vault_client_object
-> vault_client_auth_ldap
Methods
Inherited methods
Method new()
Create a vault_client_auth_ldap
object. Not typically
called by users.
Usage
vault_client_auth_ldap$new(api_client, mount)
Arguments
api_client
A vault_api_client object
mount
Mount point for the backend
Method custom_mount()
Set up a vault_client_auth_ldap
object at a
custom mount. For example, suppose you mounted the ldap
authentication backend at /ldap-dev
you might use ldap <- vault$auth$ldap2$custom_mount("/ldap-dev")
- this pattern
is repeated for other secret and authentication backends.
Method configure()
Configures the connection parameters for LDAP-based authentication. Note that there are many options here and not all may be well supported. You are probably best to configure your vault-LDAP interaction elsewhere, and this method should be regarded as experimental and for testing purposes only.
See the official docs
(https://developer.hashicorp.com/vault/api-docs/auth/ldap,
"Configure LDAP") for the list of accepted parameters here
via the dots argument; these are passed through directly
(with the exception of url
which is the only required
parameter and for which concatenation of multiple values is
done for you.
Arguments
url
The LDAP server to connect to. Examples:
ldap://ldap.myorg.com
,ldaps://ldap.myorg.com:636
. Multiple URLs can be specified with a character vector, e.g.c("ldap://ldap.myorg.com", , "ldap://ldap2.myorg.com")
; these will be tried in-order....
Additional arguments passed through with the body
Method write()
Create or update a policy
Method list()
List groups or users known to vault via LDAP
Method delete()
Delete a group or user (just the mapping to vault, no data on the LDAP server is modified).
Examples
server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
root <- server$client()
# The ldap authentication backend is not enabled by default,
# so we need to enable it first
root$auth$enable("ldap")
# Considerable configuration is required to make this work. Here
# we use the public server available at
# https://www.forumsys.com/2022/05/10/online-ldap-test-server/
root$auth$ldap$configure(
url = "ldap://ldap.forumsys.com",
binddn = "cn=read-only-admin,dc=example,dc=com",
bindpass = "password",
userdn = "dc=example,dc=com",
userattr = "uid",
groupdn = "dc=example,dc=com",
groupattr = "ou",
groupfilter = "(uniqueMember={{.UserDN}})")
# You can associate groups of users with policies:
root$auth$ldap$write("scientists", "default")
# Create a new client and login with this user:
newton <- vaultr::vault_client(
addr = server$addr,
login = "ldap",
username = "newton",
password = "password")
# (it is not recommended to login with the password like this as
# it will end up in the command history, but in interactive use
# you will be prompted securely for password)
# Isaac Newton has now logged in and has only "default" policies
newton$auth$token$lookup_self()$policies
# (wheras our original root user has the "root" policy)
root$auth$token$lookup_self()$policies
}
#> ok, duration: 2764800 s (~32d)
#> [1] "root"