hashivault_auth_ldap – Hashicorp Vault ldap configuration module

New in version 3.17.7.

Synopsis

  • Module to configure the LDAP authentication method in Hashicorp Vault.

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
bind_dn
-
Default:
""
Distinguished name of object to bind when performing user search. Example cn=vault,ou=Users,dc=example,dc=com
bind_pass
-
Default:
"None"
Password to use along with binddn when performing user search
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
case_sensitive_names
-
Default:
"no"
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case. Case will still be preserved when sending the username to the LDAP server at login time; this is only for matching local user/group definitions.
certificate
-
Default:
""
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
deny_null_bind
-
Default:
"yes"
This option prevents users from bypassing authentication when providing an empty password
discover_dn
-
Default:
"no"
Use anonymous bind to discover the bind DN of a user
group_attr
-
Default:
"cn"
LDAP attribute to follow on objects returned by groupfilter in order to enumerate user group membership
group_dn
-
Default:
""
LDAP search base to use for group membership search
group_filter
-
Default:
"(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
Go template used when constructing the group membership query. The template can access the following context variables [UserDN, Username]
insecure_tls
-
Default:
"no"
If true, skips LDAP server SSL certificate verification
ldap_url
-
Default:
"ldap://127.0.0.1"
{'The LDAP server to connect to. Examples': 'ldap://ldap.myorg.com'}
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
mount_point
-
location where this auth_method is mounted. also known as "path"
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
starttls
-
Default:
"no"
If true, issues a StartTLS command after establishing an unencrypted connection
tls_max_version
-
Default:
"tls12"
Maximum TLS version to use. Accepted values are tls10, tls11 or tls12
tls_min_version
-
Default:
"tls12"
Minimum TLS version to use. Accepted values are tls10, tls11 or tls12
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
upn_domain
-
Default:
""
The userPrincipalDomain used to construct the UPN string for the authenticating user
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
user_attr
-
Default:
"cn"
Attribute on user attribute object matching the username passed when authenticating. Examples sAMAccountName, cn, uid
user_dn
-
Default:
""
{'Base DN under which to perform user search. Example': 'ou=Users,dc=example,dc=com'}
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
    - hashivault_auth_ldap:
        user_dn: "{{ auth_ldap_userdn }}"
        group_dn: "{{ auth_ldap_groupdn }}"
        bind_dn: "{{ auth_ldap_binddn }}"
        ldap_url: "{{ auth_ldap_url }}"
        insecure_tls: "{{ auth_ldap_insecure_tls }}"
        group_filter: "{{ auth_ldap_groupfilter }}"
        upn_domain: "{{ auth_ldap_upndomain }}"

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.