41 lines
1.1 KiB
HCL
41 lines
1.1 KiB
HCL
#--------------------------------
|
|
# Enable ldap auth method
|
|
#--------------------------------
|
|
|
|
# retrieve the bindpass from Vault
|
|
data "vault_generic_secret" "svc_vault" {
|
|
path = "kv/service/glauth/services/svc_vault"
|
|
}
|
|
|
|
# create the ldap backend
|
|
resource "vault_ldap_auth_backend" "ldap" {
|
|
path = "ldap"
|
|
url = "ldap://ldap.service.consul"
|
|
userdn = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
|
|
userattr = "uid"
|
|
upndomain = "users.main.unkin.net"
|
|
discoverdn = false
|
|
groupdn = "ou=users,dc=main,dc=unkin,dc=net"
|
|
groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
|
|
groupattr = "uid"
|
|
binddn = data.vault_generic_secret.svc_vault.data["distinguishedName"]
|
|
bindpass = data.vault_generic_secret.svc_vault.data["pass"]
|
|
}
|
|
|
|
resource "vault_ldap_auth_backend_group" "vault_access" {
|
|
groupname = "vault_access"
|
|
policies = [
|
|
"default_access",
|
|
]
|
|
backend = vault_ldap_auth_backend.ldap.path
|
|
}
|
|
|
|
resource "vault_ldap_auth_backend_group" "vault_admin" {
|
|
groupname = "vault_admin"
|
|
policies = [
|
|
"default_access",
|
|
"global-admin",
|
|
]
|
|
backend = vault_ldap_auth_backend.ldap.path
|
|
}
|