#--------------------------------
# Enable ldap auth method
#--------------------------------

# retrieve the bindpass from Vault
data "vault_generic_secret" "svc_vault" {
  path = "kv/service/glauth/services/svc_vault"
}

# create the ldap backend
resource "vault_ldap_auth_backend" "ldap" {
  path        = "ldap"
  url         = "ldap://ldap.service.consul"
  userdn      = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
  userattr    = "uid"
  upndomain   = "users.main.unkin.net"
  discoverdn  = false
  groupdn     = "ou=users,dc=main,dc=unkin,dc=net"
  groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
  groupattr   = "uid"
  binddn      = data.vault_generic_secret.svc_vault.data["distinguishedName"]
  bindpass    = data.vault_generic_secret.svc_vault.data["pass"]
}

resource "vault_ldap_auth_backend_group" "vault_access" {
  groupname = "vault_access"
  policies = [
    "default_access",
  ]
  backend = vault_ldap_auth_backend.ldap.path
}

resource "vault_ldap_auth_backend_group" "vault_admin" {
  groupname = "vault_admin"
  policies = [
    "default_access",
    "global-admin",
  ]
  backend = vault_ldap_auth_backend.ldap.path
}