Skip to contents

Vault LDAP Authentication Configuration

Vault LDAP Authentication Configuration

Details

Interact with vault's LDAP authentication backend. This backend can be used to configure users based on their presence or group membership in an LDAP server. For more information, please see the vault documentation https://developer.hashicorp.com/vault/docs/auth/ldap

Super class

vaultr::vault_client_object -> vault_client_auth_ldap

Methods

Inherited methods


Method new()

Create a vault_client_auth_ldap object. Not typically called by users.

Usage

vault_client_auth_ldap$new(api_client, mount)

Arguments

api_client

A vault_api_client object

mount

Mount point for the backend


Method custom_mount()

Set up a vault_client_auth_ldap object at a custom mount. For example, suppose you mounted the ldap authentication backend at /ldap-dev you might use ldap <- vault$auth$ldap2$custom_mount("/ldap-dev") - this pattern is repeated for other secret and authentication backends.

Usage

vault_client_auth_ldap$custom_mount(mount)

Arguments

mount

String, indicating the path that the engine is mounted at.


Method configure()

Configures the connection parameters for LDAP-based authentication. Note that there are many options here and not all may be well supported. You are probably best to configure your vault-LDAP interaction elsewhere, and this method should be regarded as experimental and for testing purposes only.

See the official docs (https://developer.hashicorp.com/vault/api-docs/auth/ldap, "Configure LDAP") for the list of accepted parameters here via the dots argument; these are passed through directly (with the exception of url which is the only required parameter and for which concatenation of multiple values is done for you.

Usage

vault_client_auth_ldap$configure(url, ...)

Arguments

url

The LDAP server to connect to. Examples: ldap://ldap.myorg.com, ldaps://ldap.myorg.com:636. Multiple URLs can be specified with a character vector, e.g. c("ldap://ldap.myorg.com", , "ldap://ldap2.myorg.com"); these will be tried in-order.

...

Additional arguments passed through with the body


Method configuration()

Reads the connection parameters for LDAP-based authentication.

Usage

vault_client_auth_ldap$configuration()


Method write()

Create or update a policy

Usage

vault_client_auth_ldap$write(name, policies, user = FALSE)

Arguments

name

The name of the group (or user)

policies

A character vector of vault policies that this group (or user) will have for vault access.

user

Scalar logical - if TRUE, then name is interpreted as a user instead of a group.


Method read()

Write a mapping between a LDAP group or user and a set of vault policies.

Usage

vault_client_auth_ldap$read(name, user = FALSE)

Arguments

name

The name of the group (or user)

user

Scalar logical - if TRUE, then name is interpreted as a user instead of a group.


Method list()

List groups or users known to vault via LDAP

Usage

vault_client_auth_ldap$list(user = FALSE)

Arguments

user

Scalar logical - if TRUE, then list users instead of groups.


Method delete()

Delete a group or user (just the mapping to vault, no data on the LDAP server is modified).

Usage

vault_client_auth_ldap$delete(name, user = FALSE)

Arguments

name

The name of the group (or user)

user

Scalar logical - if TRUE, then name is interpreted as a user instead of a group.


Method login()

Log into the vault using LDAP authentication. Normally you would not call this directly but instead use $login with method = "ldap" and proving the username and optionally the password argument. argument. This function returns a vault token but does not set it as the client token.

Usage

vault_client_auth_ldap$login(username, password)

Arguments

username

Username to authenticate with

password

Password to authenticate with. If omitted or NULL and the session is interactive, the password will be prompted for.

Examples

server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
  root <- server$client()

  # The ldap authentication backend is not enabled by default,
  # so we need to enable it first
  root$auth$enable("ldap")

  # Considerable configuration is required to make this work. Here
  # we use the public server available at
  # https://www.forumsys.com/2022/05/10/online-ldap-test-server/
  root$auth$ldap$configure(
    url = "ldap://ldap.forumsys.com",
    binddn = "cn=read-only-admin,dc=example,dc=com",
    bindpass = "password",
    userdn = "dc=example,dc=com",
    userattr = "uid",
    groupdn = "dc=example,dc=com",
    groupattr = "ou",
    groupfilter = "(uniqueMember={{.UserDN}})")

  # You can associate groups of users with policies:
  root$auth$ldap$write("scientists", "default")

  # Create a new client and login with this user:
  newton <- vaultr::vault_client(
    addr = server$addr,
    login = "ldap",
    username = "newton",
    password = "password")

  # (it is not recommended to login with the password like this as
  # it will end up in the command history, but in interactive use
  # you will be prompted securely for password)

  # Isaac Newton has now logged in and has only "default" policies
  newton$auth$token$lookup_self()$policies

  # (wheras our original root user has the "root" policy)
  root$auth$token$lookup_self()$policies
}
#> ok, duration: 2764800 s (~32d)
#> [1] "root"