vault_client_auth_ldap: Vault LDAP Authentication Configuration

Description

Vault LDAP Authentication Configuration

Arguments

Super class

vaultr::vault_client_object -> vault_client_auth_ldap

Methods

Public methods

Inherited methods

Method `new()`

Create a vault_client_auth_ldap object. Not typically called by users.

Usage

vault_client_auth_ldap$new(api_client, mount)

Arguments

api_client: A vault_api_client object

mount

Mount point for the backend

Method `custom_mount()`

Set up a vault_client_auth_ldap object at a custom mount. For example, suppose you mounted the ldap authentication backend at /ldap-dev you might use ldap <- vault$auth$ldap2$custom_mount("/ldap-dev") - this pattern is repeated for other secret and authentication backends.

Usage

vault_client_auth_ldap$custom_mount(mount)

Arguments

mount: String, indicating the path that the engine is mounted at.

Method `configure()`

Configures the connection parameters for LDAP-based authentication. Note that there are many options here and not all may be well supported. You are probably best to configure your vault-LDAP interaction elsewhere, and this method should be regarded as experimental and for testing purposes only.

See the official docs (https://developer.hashicorp.com/vault/api-docs/auth/ldap, "Configure LDAP") for the list of accepted parameters here via the dots argument; these are passed through directly (with the exception of url which is the only required parameter and for which concatenation of multiple values is done for you.

Usage

vault_client_auth_ldap$configure(url, ...)

Arguments

url: The LDAP server to connect to. Examples: ldap://ldap.myorg.com, ldaps://ldap.myorg.com:636. Multiple URLs can be specified with a character vector, e.g. c("ldap://ldap.myorg.com", , "ldap://ldap2.myorg.com"); these will be tried in-order.

...

Additional arguments passed through with the body

Method `configuration()`

Reads the connection parameters for LDAP-based authentication.

Usage

vault_client_auth_ldap$configuration()

Method `write()`

Create or update a policy

Usage

vault_client_auth_ldap$write(name, policies, user = FALSE)

Arguments

name: The name of the group (or user)

policies

A character vector of vault policies that this group (or user) will have for vault access.

user

Scalar logical - if TRUE, then name is interpreted as a user instead of a group.

Method `read()`

Write a mapping between a LDAP group or user and a set of vault policies.

Usage

vault_client_auth_ldap$read(name, user = FALSE)

Arguments

name: The name of the group (or user)

user

Scalar logical - if TRUE, then name is interpreted as a user instead of a group.

Method `list()`

List groups or users known to vault via LDAP

Usage

vault_client_auth_ldap$list(user = FALSE)

Arguments

user: Scalar logical - if TRUE, then list users instead of groups.

Method `delete()`

Delete a group or user (just the mapping to vault, no data on the LDAP server is modified).

Usage

vault_client_auth_ldap$delete(name, user = FALSE)

Arguments

name: The name of the group (or user)

user

Scalar logical - if TRUE, then name is interpreted as a user instead of a group.

Method `login()`

Log into the vault using LDAP authentication. Normally you would not call this directly but instead use $login with method = "ldap" and proving the username and optionally the password argument. argument. This function returns a vault token but does not set it as the client token.

Usage

vault_client_auth_ldap$login(username, password)

Arguments

username: Username to authenticate with

password

Password to authenticate with. If omitted or NULL and the session is interactive, the password will be prompted for.

Details

Interact with vault's LDAP authentication backend. This backend can be used to configure users based on their presence or group membership in an LDAP server. For more information, please see the vault documentation https://developer.hashicorp.com/vault/docs/auth/ldap

Examples

Run this code

server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
  root <- server$client()

  # The ldap authentication backend is not enabled by default,
  # so we need to enable it first
  root$auth$enable("ldap")

  # Considerable configuration is required to make this work. Here
  # we use the public server available at
  # https://www.forumsys.com/2022/05/10/online-ldap-test-server/
  root$auth$ldap$configure(
    url = "ldap://ldap.forumsys.com",
    binddn = "cn=read-only-admin,dc=example,dc=com",
    bindpass = "password",
    userdn = "dc=example,dc=com",
    userattr = "uid",
    groupdn = "dc=example,dc=com",
    groupattr = "ou",
    groupfilter = "(uniqueMember={{.UserDN}})")

  # You can associate groups of users with policies:
  root$auth$ldap$write("scientists", "default")

  # Create a new client and login with this user:
  newton <- vaultr::vault_client(
    addr = server$addr,
    login = "ldap",
    username = "newton",
    password = "password")

  # (it is not recommended to login with the password like this as
  # it will end up in the command history, but in interactive use
  # you will be prompted securely for password)

  # Isaac Newton has now logged in and has only "default" policies
  newton$auth$token$lookup_self()$policies

  # (wheras our original root user has the "root" policy)
  root$auth$token$lookup_self()$policies
}

Run the code above in your browser using DataLab

Description

Arguments

Super class

Methods

Public methods

Method new()

Usage

Arguments

Method custom_mount()

Usage

Arguments

Method configure()

Usage

Arguments

Method configuration()

Usage

Method write()

Usage

Arguments

Method read()

Usage

Arguments

Method list()

Usage

Arguments

Method delete()

Usage

Arguments

Method login()

Usage

Arguments

Details

Examples

Method `new()`

Method `custom_mount()`

Method `configure()`

Method `configuration()`

Method `write()`

Method `read()`

Method `list()`

Method `delete()`

Method `login()`