luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/api/auth/ldap/index.html.md
Jeff Escalante a3dfde5cec New Docs Website (#5535) 
* conversion stage 1

* correct image paths

* add sidebar title to frontmatter

* docs/concepts and docs/internals

* configuration docs and multi-level nav corrections

* commands docs, index file corrections, small item nav correction

* secrets converted

* auth

* add enterprise and agent docs

* add extra dividers

* secret section, wip

* correct sidebar nav title in front matter for apu section, start working on api items

* auth and backend, a couple directory structure fixes

* remove old docs

* intro side nav converted

* reset sidebar styles, add hashi-global-styles

* basic styling for nav sidebar

* folder collapse functionality

* patch up border length on last list item

* wip restructure for content component

* taking middleman hacking to the extreme, but its working

* small css fix

* add new mega nav

* fix a small mistake from the rebase

* fix a content resolution issue with middleman

* title a couple missing docs pages

* update deps, remove temporary markup

* community page

* footer to layout, community page css adjustments

* wip downloads page

* deps updated, downloads page ready

* fix community page

* homepage progress

* add components, adjust spacing

* docs and api landing pages

* a bunch of fixes, add docs and api landing pages

* update deps, add deploy scripts

* add readme note

* update deploy command

* overview page, index title

* Update doc fields

Note this still requires the link fields to be populated -- this is solely related to copy on the description fields

* Update api_basic_categories.yml

Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.

* Add bottom hero, adjust CSS, responsive friendly

* Add mega nav title

* homepage adjustments, asset boosts

* small fixes

* docs page styling fixes

* meganav title

* some category link corrections

* Update API categories page

updated to reflect the second level headings for api categories

* Update docs_detailed_categories.yml

Updated to represent the existing docs structure

* Update docs_detailed_categories.yml

* docs page data fix, extra operator page remove

* api data fix

* fix makefile

* update deps, add product subnav to docs and api landing pages

* Rearrange non-hands-on guides to _docs_

Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.

* WIP Redirects for guides to docs

* content and component updates

* font weight hotfix, redirects

* fix guides and intro sidenavs

* fix some redirects

* small style tweaks

* Redirects to learn and internally to docs

* Remove redirect to `/vault`

* Remove `.html` from destination on redirects

* fix incorrect index redirect

* final touchups

* address feedback from michell for makefile and product downloads
2018-10-19 08:40:11 -07:00

464 lines
12 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: "api"
page_title: "LDAP - Auth Methods - HTTP API"
sidebar_title: "LDAP"
sidebar_current: "api-http-auth-ldap"
description: |-
This is the API documentation for the Vault LDAP auth method.
---
# LDAP Auth Method (API)
This is the API documentation for the Vault LDAP auth method. For
general information about the usage and operation of the LDAP method, please
see the [Vault LDAP method documentation](/docs/auth/ldap.html).
This documentation assumes the LDAP method is mounted at the `/auth/ldap`
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
## Configure LDAP
This endpoint configures the LDAP auth method.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/auth/ldap/config` | `204 (empty body)` |
### Parameters
- `url` `(string: <required>)` The LDAP server to connect to. Examples:
`ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. Multiple URLs can be
specified with commas, e.g. `ldap://ldap.myorg.com,ldap://ldap2.myorg.com`;
these will be tried in-order.
- `case_sensitive_names` `(bool: false)` If set, user and group names
assigned to policies within the backend will be case sensitive. Otherwise,
names will be normalized to lower case. Case will still be preserved when
sending the username to the LDAP server at login time; this is only for
matching local user/group definitions.
- `starttls` `(bool: false)` If true, issues a `StartTLS` command after
establishing an unencrypted connection.
- `tls_min_version` `(string: tls12)` Minimum TLS version to use. Accepted
values are `tls10`, `tls11` or `tls12`.
- `tls_max_version` `(string: tls12)` Maximum TLS version to use. Accepted
values are `tls10`, `tls11` or `tls12`.
- `insecure_tls` `(bool: false)` If true, skips LDAP server SSL certificate
verification - insecure, use with caution!
- `certificate` `(string: "")` CA certificate to use when verifying LDAP server
certificate, must be x509 PEM encoded.
- `binddn` `(string: "")` Distinguished name of object to bind when performing
user search. Example: `cn=vault,ou=Users,dc=example,dc=com`
- `bindpass` `(string: "")` Password to use along with `binddn` when performing
user search.
- `userdn` `(string: "")` Base DN under which to perform user search. Example:
`ou=Users,dc=example,dc=com`
- `userattr` `(string: "")` Attribute on user attribute object matching the
username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
- `discoverdn` `(bool: false)` Use anonymous bind to discover the bind DN of a
user.
- `deny_null_bind` `(bool: true)` This option prevents users from bypassing
authentication when providing an empty password.
- `upndomain` `(string: "")` The userPrincipalDomain used to construct the UPN
string for the authenticating user. The constructed UPN will appear as
`[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind
as `username@example.com`.
- `groupfilter` `(string: "")` Go template used when constructing the group
membership query. The template can access the following context variables:
\[`UserDN`, `Username`\]. The default is
`(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`,
which is compatible with several common directory schemas. To support
nested group resolution for Active Directory, instead use the following
query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
- `groupdn` `(string: "")` LDAP search base to use for group membership
search. This can be the root containing either groups or users. Example:
`ou=Groups,dc=example,dc=com`
- `groupattr` `(string: "")` LDAP attribute to follow on objects returned by
`groupfilter` in order to enumerate user group membership. Examples: for
groupfilter queries returning _group_ objects, use: `cn`. For queries
returning _user_ objects, use: `memberOf`. The default is `cn`.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/ldap/config
```
### Sample Payload
```json
{
"binddn": "cn=vault,ou=Users,dc=example,dc=com",
"deny_null_bind": true,
"discoverdn": false,
"groupattr": "cn",
"groupdn": "ou=Groups,dc=example,dc=com",
"groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
"insecure_tls": false,
"starttls": false,
"tls_max_version": "tls12",
"tls_min_version": "tls12",
"url": "ldaps://ldap.myorg.com:636",
"userattr": "samaccountname",
"userdn": "ou=Users,dc=example,dc=com"
}
```
## Read LDAP Configuration
This endpoint retrieves the LDAP configuration for the auth method.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/auth/ldap/config` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/ldap/config
```
### Sample Response
```json
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"binddn": "cn=vault,ou=Users,dc=example,dc=com",
"bindpass": "",
"certificate": "",
"deny_null_bind": true,
"discoverdn": false,
"groupattr": "cn",
"groupdn": "ou=Groups,dc=example,dc=com",
"groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
"insecure_tls": false,
"starttls": false,
"tls_max_version": "tls12",
"tls_min_version": "tls12",
"upndomain": "",
"url": "ldaps://ldap.myorg.com:636",
"userattr": "samaccountname",
"userdn": "ou=Users,dc=example,dc=com"
},
"lease_duration": 0,
"renewable": false,
"lease_id": ""
}
```
## List LDAP Groups
This endpoint returns a list of existing groups in the method.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/auth/ldap/groups` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/auth/ldap/groups
```
### Sample Response
```json
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"keys": [
"scientists",
"engineers"
]
},
"lease_duration": 0,
"renewable": false,
"lease_id": ""
}
```
## Read LDAP Group
This endpoint returns the policies associated with a LDAP group.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/auth/ldap/groups/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` The name of the LDAP group
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/ldap/groups/admins
```
### Sample Response
```json
{
"data": {
"policies": [
"admin",
"default"
]
},
"renewable": false,
"lease_id": ""
"lease_duration": 0,
"warnings": null
}
```
## Create/Update LDAP Group
This endpoint creates or updates LDAP group policies.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/auth/ldap/groups/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` The name of the LDAP group
- `policies` `(string: "")` Comma-separated list of policies associated to the
group.
### Sample Payload
```json
{
"policies": "admin,default"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/ldap/groups/admins
```
## Delete LDAP Group
This endpoint deletes the LDAP group and policy association.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/auth/ldap/groups/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` The name of the LDAP group
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/auth/ldap/groups/admins
```
## List LDAP Users
This endpoint returns a list of existing users in the method.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/auth/ldap/users` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/auth/ldap/users
```
### Sample Response
```json
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"keys": [
"mitchellh",
"armon"
]
},
"lease_duration": 0,
"renewable": false,
"lease_id": ""
}
```
## Read LDAP User
This endpoint returns the policies associated with a LDAP user.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/auth/ldap/users/:username` | `200 application/json` |
### Parameters
- `username` `(string: <required>)` The username of the LDAP user
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
```
### Sample Response
```json
{
"data": {
"policies": [
"admin",
"default"
],
"groups": ""
},
"renewable": false,
"lease_id": ""
"lease_duration": 0,
"warnings": null
}
```
## Create/Update LDAP User
This endpoint creates or updates LDAP users policies and group associations.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/auth/ldap/users/:username` | `204 (empty body)` |
### Parameters
- `username` `(string: <required>)` The username of the LDAP user
- `policies` `(string: "")` Comma-separated list of policies associated to the
user.
- `groups` `(string: "")` Comma-separated list of groups associated to the
user.
### Sample Payload
```json
{
"policies": "admin,default"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
```
## Delete LDAP User
This endpoint deletes the LDAP user and policy association.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/auth/ldap/users/:username` | `204 (empty body)` |
### Parameters
- `username` `(string: <required>)` The username of the LDAP user
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
```
## Login with LDAP User
This endpoint allows you to log in with LDAP credentials
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/auth/ldap/login/:username` | `200 application/json` |
### Parameters
- `username` `(string: <required>)` The username of the LDAP user
- `password` `(string: <required>)` The password for the LDAP user
### Sample Payload
```json
{
"password": "MyPassword1"
}
```
### Sample Request
```
$ curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh
```
### Sample Response
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"auth": {
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
"policies": [
"admins",
"default"
],
"metadata": {
"username": "mitchellh"
},
"lease_duration": 0,
"renewable": false
}
}
```
Reference in a new issue View git blame Copy permalink