vault_client_auth_ldap | R Documentation |
Vault LDAP Authentication Configuration
Vault LDAP Authentication Configuration
Interact with vault's LDAP authentication backend. This backend can be used to configure users based on their presence or group membership in an LDAP server. For more information, please see the vault documentation https://developer.hashicorp.com/vault/docs/auth/ldap
vaultr::vault_client_object
-> vault_client_auth_ldap
new()
Create a vault_client_auth_ldap
object. Not typically
called by users.
vault_client_auth_ldap$new(api_client, mount)
api_client
A vault_api_client object
mount
Mount point for the backend
custom_mount()
Set up a vault_client_auth_ldap
object at a
custom mount. For example, suppose you mounted the ldap
authentication backend at /ldap-dev
you might use ldap <- vault$auth$ldap2$custom_mount("/ldap-dev")
- this pattern
is repeated for other secret and authentication backends.
vault_client_auth_ldap$custom_mount(mount)
mount
String, indicating the path that the engine is mounted at.
configure()
Configures the connection parameters for LDAP-based authentication. Note that there are many options here and not all may be well supported. You are probably best to configure your vault-LDAP interaction elsewhere, and this method should be regarded as experimental and for testing purposes only.
See the official docs
(https://developer.hashicorp.com/vault/api-docs/auth/ldap,
"Configure LDAP") for the list of accepted parameters here
via the dots argument; these are passed through directly
(with the exception of url
which is the only required
parameter and for which concatenation of multiple values is
done for you.
vault_client_auth_ldap$configure(url, ...)
url
The LDAP server to connect to. Examples:
ldap://ldap.myorg.com
,
ldaps://ldap.myorg.com:636
. Multiple URLs can be specified
with a character vector, e.g. c("ldap://ldap.myorg.com", , "ldap://ldap2.myorg.com")
; these will be tried in-order.
...
Additional arguments passed through with the body
configuration()
Reads the connection parameters for LDAP-based authentication.
vault_client_auth_ldap$configuration()
write()
Create or update a policy
vault_client_auth_ldap$write(name, policies, user = FALSE)
name
The name of the group (or user)
policies
A character vector of vault policies that this group (or user) will have for vault access.
user
Scalar logical - if TRUE
, then name
is
interpreted as a user instead of a group.
read()
Write a mapping between a LDAP group or user and a set of vault policies.
vault_client_auth_ldap$read(name, user = FALSE)
name
The name of the group (or user)
user
Scalar logical - if TRUE
, then name
is
interpreted as a user instead of a group.
list()
List groups or users known to vault via LDAP
vault_client_auth_ldap$list(user = FALSE)
user
Scalar logical - if TRUE
, then list users
instead of groups.
delete()
Delete a group or user (just the mapping to vault, no data on the LDAP server is modified).
vault_client_auth_ldap$delete(name, user = FALSE)
name
The name of the group (or user)
user
Scalar logical - if TRUE
, then name
is
interpreted as a user instead of a group.
login()
Log into the vault using LDAP authentication.
Normally you would not call this directly but instead use
$login
with method = "ldap"
and proving the username
and optionally the password
argument.
argument. This function returns a vault token but does not
set it as the client token.
vault_client_auth_ldap$login(username, password)
username
Username to authenticate with
password
Password to authenticate with. If omitted or
NULL
and the session is interactive, the password will be
prompted for.
server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
root <- server$client()
# The ldap authentication backend is not enabled by default,
# so we need to enable it first
root$auth$enable("ldap")
# Considerable configuration is required to make this work. Here
# we use the public server available at
# https://www.forumsys.com/2022/05/10/online-ldap-test-server/
root$auth$ldap$configure(
url = "ldap://ldap.forumsys.com",
binddn = "cn=read-only-admin,dc=example,dc=com",
bindpass = "password",
userdn = "dc=example,dc=com",
userattr = "uid",
groupdn = "dc=example,dc=com",
groupattr = "ou",
groupfilter = "(uniqueMember={{.UserDN}})")
# You can associate groups of users with policies:
root$auth$ldap$write("scientists", "default")
# Create a new client and login with this user:
newton <- vaultr::vault_client(
addr = server$addr,
login = "ldap",
username = "newton",
password = "password")
# (it is not recommended to login with the password like this as
# it will end up in the command history, but in interactive use
# you will be prompted securely for password)
# Isaac Newton has now logged in and has only "default" policies
newton$auth$token$lookup_self()$policies
# (wheras our original root user has the "root" policy)
root$auth$token$lookup_self()$policies
}
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.