a3dfde5cec
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
215 lines
7.7 KiB
Markdown
215 lines
7.7 KiB
Markdown
---
|
|
layout: "api"
|
|
page_title: "Active Directory - Secrets Engines - HTTP API"
|
|
sidebar_title: "Active Directory"
|
|
sidebar_current: "api-http-secret-active-directory"
|
|
description: |-
|
|
This is the API documentation for the Vault Active Directory secrets engine.
|
|
---
|
|
|
|
# Active Directory Secrets Engine (API)
|
|
|
|
This is the API documentation for the Vault AD secrets engine. For general
|
|
information about the usage and operation of the AD secrets engine, please see
|
|
the [Vault Active Directory documentation](/docs/secrets/ad/index.html).
|
|
|
|
This documentation assumes the AD secrets engine is enabled at the `/ad` path
|
|
in Vault. Since it is possible to enable secrets engines at any location, please
|
|
update your API calls accordingly.
|
|
|
|
## Configuration
|
|
|
|
The `config` endpoint configures the LDAP connection and binding parameters, as well as the password rotation configuration.
|
|
|
|
### Password parameters
|
|
|
|
* `ttl` (string, optional) - The default password time-to-live in seconds. Once the ttl has passed, a password will be rotated the next time it's requested.
|
|
* `max_ttl` (string, optional) - The maximum password time-to-live in seconds. No role will be allowed to set a custom ttl greater than the `max_ttl`.
|
|
* `length` (string, optional) - The desired password length. Defaults to 64. Minimum is 14.
|
|
* `formatter` (string, optional) - Text into which the base64 password should be inserted, formatted like so: `mycustom{{PASSWORD}}`.
|
|
|
|
To meet Microsoft's password complexity requirements, all passwords begin with "?@09AZ" unless a `formatter` is provided.
|
|
The `formatter` is for organizations with different, custom password requirements. It allows an organization to supply
|
|
text that fulfills those requirements. `{{PASSWORD}}` must appear exactly once and can be anywhere in the text.
|
|
|
|
### Connection parameters
|
|
|
|
* `url` (string, required) - The LDAP server to connect to. Examples: `ldaps://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. This can also be a comma-delineated list of URLs, e.g. `ldaps://ldap.myorg.com,ldaps://ldap.myorg.com:636`, in which case the servers will be tried in-order if there are errors during the connection process.
|
|
* `starttls` (bool, optional) - If true, issues a `StartTLS` command after establishing an unencrypted connection.
|
|
* `insecure_tls` - (bool, optional) - If true, skips LDAP server SSL certificate verification - insecure, use with caution!
|
|
* `certificate` - (string, optional) - CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
|
|
|
|
### Binding parameters
|
|
|
|
* `binddn` (string, required) - Distinguished name of object to bind when performing user and group search. Example: `cn=vault,ou=Users,dc=example,dc=com`
|
|
* `bindpass` (string, required) - Password to use along with `binddn` when performing user search.
|
|
* `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
|
|
* `upndomain` (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind as `username@example.com`.
|
|
|
|
## Config management
|
|
|
|
At present, this endpoint does not confirm that the provided AD credentials are
|
|
valid AD credentials with proper permissions.
|
|
|
|
| Method | Path | Produces |
|
|
| :------- | :--------------------- | :--------------------- |
|
|
| `POST` | `/ad/config` | `204 (empty body)` |
|
|
| `GET` | `/ad/config` | `200 application/json` |
|
|
| `DELETE` | `/ad/config` | `204 (empty body)` |
|
|
|
|
### Sample Post Request
|
|
|
|
```
|
|
$ curl \
|
|
--header "X-Vault-Token: ..." \
|
|
--request POST \
|
|
--data @payload.json \
|
|
http://127.0.0.1:8200/v1/ad/config
|
|
```
|
|
|
|
### Sample Post Payload
|
|
|
|
```json
|
|
{
|
|
"binddn": "domain-admin",
|
|
"bindpass": "pa$$w0rd",
|
|
"url": "ldaps://127.0.0.11",
|
|
"userdn": "dc=example,dc=com"
|
|
}
|
|
```
|
|
|
|
### Sample Get Response Data
|
|
|
|
```json
|
|
{
|
|
"binddn": "domain-admin",
|
|
"certificate": "",
|
|
"insecure_tls": false,
|
|
"length": 64,
|
|
"max_ttl": 2764800,
|
|
"starttls": false,
|
|
"tls_max_version": "tls12",
|
|
"tls_min_version": "tls12",
|
|
"ttl": 2764800,
|
|
"upndomain": "",
|
|
"url": "ldaps://127.0.0.11",
|
|
"userdn": "dc=example,dc=com"
|
|
}
|
|
|
|
```
|
|
|
|
## Role management
|
|
|
|
The `roles` endpoint configures how Vault will manage the passwords for individual service accounts.
|
|
|
|
### Parameters
|
|
|
|
* `service_account_name` (string, required) - The name of a pre-existing service account in Active Directory that maps to this role.
|
|
* `ttl` (string, optional) - The password time-to-live in seconds. Defaults to the configuration `ttl` if not provided.
|
|
|
|
When adding a role, Vault verifies its associated service account exists.
|
|
|
|
| Method | Path | Produces |
|
|
| :------- | :--------------------- | :--------------------- |
|
|
| `GET` | `/ad/roles` | `200 application/json` |
|
|
| `POST` | `/ad/roles/:role_name` | `204 (empty body)` |
|
|
| `GET` | `/ad/roles/:role_name` | `200 application/json` |
|
|
| `DELETE` | `/ad/roles/:role_name` | `204 (empty body)` |
|
|
|
|
### Sample Post Request
|
|
|
|
```
|
|
$ curl \
|
|
--header "X-Vault-Token: ..." \
|
|
--request POST \
|
|
--data @payload.json \
|
|
http://127.0.0.1:8200/v1/ad/roles/my-application
|
|
```
|
|
|
|
### Sample Post Payload
|
|
|
|
```json
|
|
{
|
|
"service_account_name": "my-application@example.com",
|
|
"ttl": 100
|
|
}
|
|
```
|
|
|
|
### Sample Get Role Response
|
|
|
|
```json
|
|
{
|
|
"last_vault_rotation": "2018-05-24T17:14:38.677370855Z",
|
|
"password_last_set": "2018-05-24T17:14:38.6038495Z",
|
|
"service_account_name": "my-application@example.com",
|
|
"ttl": 100
|
|
}
|
|
```
|
|
|
|
### Sample List Roles Response
|
|
|
|
Performing a `LIST` on the `/ad/roles` endpoint will list the names of all the roles Vault contains.
|
|
|
|
```json
|
|
[
|
|
"my-application"
|
|
]
|
|
```
|
|
|
|
## Retrieving passwords
|
|
|
|
The `creds` endpoint offers the credential information for a given role.
|
|
|
|
| Method | Path | Produces |
|
|
| :------- | :--------------------- | :--------------------- |
|
|
| `GET` | `/ad/creds/:role_name` | `200 application/json` |
|
|
|
|
### Sample Get Request
|
|
|
|
```
|
|
$ curl \
|
|
--header "X-Vault-Token: ..." \
|
|
--request GET \
|
|
http://127.0.0.1:8200/v1/ad/creds/my-application
|
|
```
|
|
|
|
### Sample Get Response
|
|
|
|
```json
|
|
{
|
|
"current_password": "?@09AZnh4Q5N4O5zdLk/4F8aIMgsnpDM6tSQEZCge3Mz1wXcZEgZhOa6OR748F96",
|
|
"last_password": "?@09AZSen9TzUwK7ZhafS7B0GuWGraQjfWEna5SwnmF/tVaKFqjXhhGV/Z0v/pBJ",
|
|
"username": "my-application"
|
|
}
|
|
```
|
|
## Rotate Root Credentials
|
|
|
|
Rotate the `bindpass` to a new one known only to Vault.
|
|
|
|
### Risks
|
|
|
|
1. When the `bindpass` is rotated, it successfully gets rotated in Active Directory but Vault can't store it so it becomes unknown.
|
|
2. If the `binddn` in use applies to more than one entity in Active Directory, root credential rotation will fail because it's unclear which entity to perform the operation for.
|
|
|
|
### Mitigating Risks
|
|
|
|
1. Always have another account that can provision a new `binddn` and `bindpass` to replace one whose password becomes unknown.
|
|
2. Ensure the `binddn` in use only applies to one entity by including all distinguished name parameters possible. For example, use `"CN=vault-ad-test,CN=Users,DC=example,DC=com"` instead of `"CN=vault-ad-test"`.
|
|
|
|
### Endpoints
|
|
|
|
| Method | Path | Produces |
|
|
| :------- | :--------------------- | :----------------------------------------- |
|
|
| `GET` | `/ad/rotate-root` | `204 (empty body) or 200 with warning` |
|
|
|
|
Generally, `rotate-root` returns a 204. However, if `rotate-root` is already in progress, it may return a 200 with a warning that root credential rotation is already in progress.
|
|
|
|
### Sample Get Request
|
|
|
|
```
|
|
$ curl \
|
|
--header "X-Vault-Token: ..." \
|
|
--request GET \
|
|
--data @payload.json \
|
|
http://127.0.0.1:8200/v1/ad/rotate-root
|
|
``` |