From 582f38c68f3269c5341d6387322b8c6cefd27352 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Thu, 26 Sep 2024 17:30:18 +1000
Subject: [PATCH] feat: update ldap backend

- confirm users can authenticate
- add `vault_access` group with base rights for users
---
 auth_backend_ldap.tf | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/auth_backend_ldap.tf b/auth_backend_ldap.tf
index 71eb6c3..c2b3c2b 100644
--- a/auth_backend_ldap.tf
+++ b/auth_backend_ldap.tf
@@ -11,12 +11,19 @@ data "vault_generic_secret" "ldap_bindpass" {
 resource "vault_ldap_auth_backend" "ldap" {
   path        = "ldap"
   url         = "ldap://ldap.service.consul"
-  userdn      = "dc=main,dc=unkin,dc=net"
+  userdn      = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
   userattr    = "uid"
-  upndomain   = "main.unkin.net"
+  upndomain   = "users.main.unkin.net"
   discoverdn  = false
-  groupdn     = "ou=groups,dc=main,dc=unkin,dc=net"
-  groupfilter = "(memberOf=ou=vault_access,ou=groups,dc=main,dc=unkin,dc=net)"
-  binddn      = "svc_vault"
+  groupdn     = "ou=users,dc=main,dc=unkin,dc=net"
+  groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
+  groupattr   = "uid"
+  binddn      = data.vault_generic_secret.ldap_bindpass.data["distinguishedName"]
   bindpass    = data.vault_generic_secret.ldap_bindpass.data["pass"]
 }
+
+resource "vault_ldap_auth_backend_group" "vault_access" {
+  groupname = "vault_access"
+  policies  = ["sshca_signuser"]
+  backend   = vault_ldap_auth_backend.ldap.path
+}