From dd4a3b339ed49bd65b432e61bc946eae2d7dd07e Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 15 Mar 2022 10:21:40 -0400 Subject: [PATCH] auth/ldap: add `username_as_alias` config flag (#14324) --- builtin/credential/ldap/backend_test.go | 1 + builtin/credential/ldap/path_login.go | 4 ++++ changelog/14324.txt | 3 +++ sdk/helper/ldaputil/config.go | 12 ++++++++++++ sdk/helper/ldaputil/config_test.go | 1 + website/content/api-docs/auth/ldap.mdx | 4 ++++ website/content/docs/auth/ldap.mdx | 5 +++++ 7 files changed, 30 insertions(+) create mode 100644 changelog/14324.txt diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go index c53fc7819..c58fa2f2d 100644 --- a/builtin/credential/ldap/backend_test.go +++ b/builtin/credential/ldap/backend_test.go @@ -1205,6 +1205,7 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) { CaseSensitiveNames: falseBool, UsePre111GroupCNBehavior: new(bool), RequestTimeout: cfg.RequestTimeout, + UsernameAsAlias: false, }, } diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go index eea2006e7..49c0cfe9d 100644 --- a/builtin/credential/ldap/path_login.go +++ b/builtin/credential/ldap/path_login.go @@ -103,6 +103,10 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew }, } + if cfg.UsernameAsAlias { + auth.Alias.Name = username + } + cfg.PopulateTokenAuth(auth) // Add in configured policies from mappings diff --git a/changelog/14324.txt b/changelog/14324.txt new file mode 100644 index 000000000..2932b2323 --- /dev/null +++ b/changelog/14324.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auth/ldap: Add username_as_alias configurable to change how aliases are named +``` diff --git a/sdk/helper/ldaputil/config.go b/sdk/helper/ldaputil/config.go index d9118d1b2..43844da22 100644 --- a/sdk/helper/ldaputil/config.go +++ b/sdk/helper/ldaputil/config.go @@ -112,6 +112,12 @@ Default: ({{.UserAttr}}={{.Username}})`, }, }, + "username_as_alias": { + Type: framework.TypeBool, + Default: false, + Description: "If true, sets the alias name to the username", + }, + "userattr": { Type: framework.TypeString, Default: "cn", @@ -242,6 +248,10 @@ func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry cfg.AnonymousGroupSearch = d.Get("anonymous_group_search").(bool) } + if _, ok := d.Raw["username_as_alias"]; ok || !hadExisting { + cfg.UsernameAsAlias = d.Get("username_as_alias").(bool) + } + if _, ok := d.Raw["url"]; ok || !hadExisting { cfg.Url = strings.ToLower(d.Get("url").(string)) } @@ -393,6 +403,7 @@ type ConfigEntry struct { GroupFilter string `json:"groupfilter"` GroupAttr string `json:"groupattr"` UPNDomain string `json:"upndomain"` + UsernameAsAlias bool `json:"username_as_alias"` UserFilter string `json:"userfilter"` UserAttr string `json:"userattr"` Certificate string `json:"certificate"` @@ -444,6 +455,7 @@ func (c *ConfigEntry) PasswordlessMap() map[string]interface{} { "use_token_groups": c.UseTokenGroups, "anonymous_group_search": c.AnonymousGroupSearch, "request_timeout": c.RequestTimeout, + "username_as_alias": c.UsernameAsAlias, } if c.CaseSensitiveNames != nil { m["case_sensitive_names"] = *c.CaseSensitiveNames diff --git a/sdk/helper/ldaputil/config_test.go b/sdk/helper/ldaputil/config_test.go index 7463be363..32edb5dff 100644 --- a/sdk/helper/ldaputil/config_test.go +++ b/sdk/helper/ldaputil/config_test.go @@ -166,6 +166,7 @@ var jsonConfigDefault = []byte(` "tls_max_version": "tls12", "use_token_groups": false, "use_pre111_group_cn_behavior": null, + "username_as_alias": false, "request_timeout": 90, "CaseSensitiveNames": false, "ClientTLSCert": "", diff --git a/website/content/api-docs/auth/ldap.mdx b/website/content/api-docs/auth/ldap.mdx index fd2666532..38b31af3b 100644 --- a/website/content/api-docs/auth/ldap.mdx +++ b/website/content/api-docs/auth/ldap.mdx @@ -87,6 +87,8 @@ This endpoint configures the LDAP auth method. `groupfilter` in order to enumerate user group membership. Examples: for groupfilter queries returning _group_ objects, use: `cn`. For queries returning _user_ objects, use: `memberOf`. The default is `cn`. +- `username_as_alias` `(bool: false)` - If set to true, forces the auth method + to use the username passed by the user as the alias name. @include 'tokenfields.mdx' @@ -117,6 +119,7 @@ $ curl \ "tls_max_version": "tls12", "tls_min_version": "tls12", "url": "ldaps://ldap.myorg.com:636", + "username_as_alias": false, "userattr": "samaccountname", "userdn": "ou=Users,dc=example,dc=com" } @@ -160,6 +163,7 @@ $ curl \ "tls_min_version": "tls12", "upndomain": "", "url": "ldaps://ldap.myorg.com:636", + "username_as_alias": false, "userattr": "samaccountname", "userdn": "ou=Users,dc=example,dc=com" }, diff --git a/website/content/docs/auth/ldap.mdx b/website/content/docs/auth/ldap.mdx index 7703e233b..b969282b3 100644 --- a/website/content/docs/auth/ldap.mdx +++ b/website/content/docs/auth/ldap.mdx @@ -147,6 +147,11 @@ _Note_: When using _Authenticated Search_ for binding parameters (see above) the Use `vault path-help` for more details. +### Other + +- `username_as_alias` (bool, optional) - If set to true, forces the auth method to use the username passed by the user as the alias name. + + ## Examples: ### Scenario 1