ldap: change setting user policies to setting user groups

builtin/credential/ldap/backend.go

@@ -140,7 +140,7 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 
 	user, err := b.User(req.Storage, username)
 	if err == nil && user != nil {
-		policies = append(policies, user.Policies...)
+		allgroups = append(allgroups, user.Groups...)
 	}
 
 	for _, e := range sresult.Entries {
@@ -150,6 +150,9 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 		}
 		gname := dn.RDNs[0].Attributes[0].Value
 		allgroups = append(allgroups, gname)
+	}
+
+	for _, gname := range allgroups {
 		group, err := b.Group(req.Storage, gname)
 		if err == nil && group != nil {
 			policies = append(policies, group.Policies...)

builtin/credential/ldap/backend_test.go

@@ -17,7 +17,8 @@ func TestBackend_basic(t *testing.T) {
 		Steps: []logicaltest.TestStep{
 			testAccStepConfigUrl(t),
 			testAccStepGroup(t, "scientists", "foo"),
-			testAccStepUser(t, "tesla", "bar"),
+			testAccStepGroup(t, "engineers", "bar"),
+			testAccStepUser(t, "tesla", "engineers"),
 			testAccStepLogin(t, "tesla", "password"),
 		},
 	})
@@ -111,36 +112,36 @@ func TestBackend_userCrud(t *testing.T) {
 	})
 }
 
-func testAccStepUser(t *testing.T, user string, policies string) logicaltest.TestStep {
+func testAccStepUser(t *testing.T, user string, groups string) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.WriteOperation,
 		Path:      "users/" + user,
 		Data: map[string]interface{}{
-			"policies": policies,
+			"groups": groups,
 		},
 	}
 }
 
-func testAccStepReadUser(t *testing.T, user string, policies string) logicaltest.TestStep {
+func testAccStepReadUser(t *testing.T, user string, groups string) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.ReadOperation,
 		Path:      "users/" + user,
 		Check: func(resp *logical.Response) error {
 			if resp == nil {
-				if policies == "" {
+				if groups == "" {
 					return nil
 				}
 				return fmt.Errorf("bad: %#v", resp)
 			}
 
 			var d struct {
-				Policies string `mapstructure:"policies"`
+				Groups string `mapstructure:"groups"`
 			}
 			if err := mapstructure.Decode(resp.Data, &d); err != nil {
 				return err
 			}
 
-			if d.Policies != policies {
+			if d.Groups != groups {
 				return fmt.Errorf("bad: %#v", resp)
 			}
 

builtin/credential/ldap/path_users.go

@@ -16,9 +16,9 @@ func pathUsers(b *backend) *framework.Path {
 				Description: "Name of the LDAP user.",
 			},
 
-			"policies": &framework.FieldSchema{
+			"groups": &framework.FieldSchema{
 				Type:        framework.TypeString,
-				Description: "Comma-separated list of policies associated to the user.",
+				Description: "Comma-separated list of additional groups associated with the user.",
 			},
 		},
 
@@ -72,7 +72,7 @@ func (b *backend) pathUserRead(
 
 	return &logical.Response{
 		Data: map[string]interface{}{
-			"policies": strings.Join(user.Policies, ","),
+			"groups": strings.Join(user.Groups, ","),
 		},
 	}, nil
 }
@@ -80,14 +80,14 @@ func (b *backend) pathUserRead(
 func (b *backend) pathUserWrite(
 	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	name := d.Get("name").(string)
-	policies := strings.Split(d.Get("policies").(string), ",")
-	for i, p := range policies {
-		policies[i] = strings.TrimSpace(p)
+	groups := strings.Split(d.Get("groups").(string), ",")
+	for i, g := range groups {
+		groups[i] = strings.TrimSpace(g)
 	}
 
 	// Store it
 	entry, err := logical.StorageEntryJSON("user/"+name, &UserEntry{
-		Policies: policies,
+		Groups: groups,
 	})
 	if err != nil {
 		return nil, err
@@ -100,19 +100,18 @@ func (b *backend) pathUserWrite(
 }
 
 type UserEntry struct {
-	Policies []string
+	Groups []string
 }
 
 const pathUserHelpSyn = `
-Manage users allowed to authenticate.
+Manage additional groups for users allowed to authenticate.
 `
 
 const pathUserHelpDesc = `
 This endpoint allows you to create, read, update, and delete configuration
-for LDAP users that are allowed to authenticate, and associate policies to
-them.
+for LDAP users that are allowed to authenticate, in particular associating
+additional groups to them.
 
-Deleting a user will not revoke auth for prior authenticated users in that
-user. To do this, do a revoke on "login/<username>" for
+Deleting a user will not revoke their auth. To do this, do a revoke on "login/<username>" for
 the usernames you want revoked.
 `

website/source/docs/auth/ldap.html.md

@@ -108,13 +108,15 @@ $ vault write auth/ldap/groups/scientists policies=foo,bar
 
 This maps the LDAP group "scientists" to the "foo" and "bar" Vault policies.
 
-We can also create a mapping from a specific LDAP user to a Vault policy:
+We can also add specific LDAP users to additional (potentially non-LDAP) groups:
 
 ```
-$ vault write auth/ldap/users/tesla policies=foobar
+$ vault write auth/ldap/groups/engineers policies=foobar
+$ vault write auth/ldap/users/tesla groups=engineers
 ```
 
-This maps the LDAP user "tesla" to the "foobar" Vault policy.
+This adds the LDAP user "tesla" to the "engineers" group, which maps to
+the "foobar" Vault policy.
 
 Finally, we can test this by authenticating: