unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: update ldap backend

Browse Source 
- confirm users can authenticate
- add `vault_access` group with base rights for users
This commit is contained in:
Ben Vincent 2024-09-26 17:30:18 +10:00
parent 7b9e27cfe6
commit 582f38c68f
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
auth_backend_ldap.tf
View File

@ -11,12 +11,19 @@ data "vault_generic_secret" "ldap_bindpass" {
resource "vault_ldap_auth_backend" "ldap" { resource "vault_ldap_auth_backend" "ldap" {
path = "ldap" path = "ldap"
url = "ldap://ldap.service.consul" url = "ldap://ldap.service.consul"
userdn = "dc=main,dc=unkin,dc=net" userdn = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
userattr = "uid" userattr = "uid"
upndomain = "main.unkin.net" upndomain = "users.main.unkin.net"
discoverdn = false discoverdn = false
groupdn = "ou=groups,dc=main,dc=unkin,dc=net" groupdn = "ou=users,dc=main,dc=unkin,dc=net"
groupfilter = "(memberOf=ou=vault_access,ou=groups,dc=main,dc=unkin,dc=net)" groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
binddn = "svc_vault" groupattr = "uid"
binddn = data.vault_generic_secret.ldap_bindpass.data["distinguishedName"]
bindpass = data.vault_generic_secret.ldap_bindpass.data["pass"] bindpass = data.vault_generic_secret.ldap_bindpass.data["pass"]
} }
resource "vault_ldap_auth_backend_group" "vault_access" {
groupname = "vault_access"
policies = ["sshca_signuser"]
backend = vault_ldap_auth_backend.ldap.path
}