1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
LDAP
====
.. note::
Every method under the :py:attr:`Client class's ldap attribute<hvac.v1.Client.ldap>` includes a `mount_point` parameter that can be used to address the LDAP auth method under a custom mount path. E.g., If enabling the LDAP auth method using Vault's CLI commands via `vault auth enable -path=my-ldap ldap`", the `mount_point` parameter in :py:meth:`hvac.api.auth_methods.Ldap` methods would be set to "my-ldap".
Enabling the LDAP Auth Method
-----------------------------
:py:meth:`hvac.api.SystemBackend.enable_auth_method`
.. code:: python
import hvac
client = hvac.Client()
ldap_auth_path = 'company-ldap'
description = "Auth method for use by team members in our company's LDAP organization"
if '%s/' % ldap_auth_path not in vault_client.sys.list_auth_methods()['data']:
print('Enabling the ldap auth backend at mount_point: {path}'.format(
path=ldap_auth_path,
))
client.sys.enable_auth_method(
method_type='ldap',
description=description,
path=ldap_auth_path,
)
Configure LDAP Auth Method Settings
-----------------------------------
:py:meth:`hvac.api.auth_methods.Ldap.configure`
.. code:: python
import hvac
client = hvac.Client()
client.auth.ldap.configure(
user_dn='dc=users,dc=hvac,dc=network',
group_dn='ou=groups,dc=hvac,dc=network',
url='ldaps://ldap.hvac.network:12345',
bind_dn='cn=admin,dc=hvac,dc=network',
bind_pass='ourverygoodadminpassword'
user_attr='uid',
group_attr='cn',
)
Reading the LDAP Auth Method Configuration
------------------------------------------
:py:meth:`hvac.api.auth_methods.Ldap.read_configuration`
.. code:: python
import hvac
client = hvac.Client()
ldap_configuration = client.auth.ldap.read_configuration()
print('The LDAP auth method is configured with a LDAP server URL of: {url}'.format(
url=ldap_configuration['data']['url']
)
Create or Update a LDAP Group Mapping
-------------------------------------
:py:meth:`hvac.api.auth_methods.Ldap.create_or_update_group`
.. code:: python
import hvac
client = hvac.Client()
client.auth.ldap.create_or_update_group(
name='some-dudes',
policies=['policy-for-some-dudes'],
)
List LDAP Group Mappings
------------------------
:py:meth:`hvac.api.auth_methods.Ldap.list_groups`
.. code:: python
import hvac
client = hvac.Client()
ldap_groups = client.auth.ldap.list_groups()
print('The following groups are configured in the LDAP auth method: {groups}'.format(
groups=','.join(ldap_groups['data']['keys'])
)
Read LDAP Group Mapping
-----------------------
:py:meth:`hvac.api.auth_methods.Ldap.read_group`
.. code:: python
import hvac
client = hvac.Client()
some_dudes_ldap_group = client.auth.ldap.read_group(
name='somedudes',
)
print('The "somedudes" group in the LDAP auth method are mapped to the following policies: {policies}'.format(
policies=','.join(some_dudes_ldap_group['data']['policies'])
)
Deleting a LDAP Group Mapping
-----------------------------
:py:meth:`hvac.api.auth_methods.Ldap.delete_group`
.. code:: python
import hvac
client = hvac.Client()
client.auth.ldap.delete_group(
name='some-group',
)
Creating or Updating a LDAP User Mapping
----------------------------------------
:py:meth:`hvac.api.auth_methods.Ldap.create_or_update_user`
.. code:: python
import hvac
client = hvac.Client()
client.auth.ldap.create_or_update_user(
username='somedude',
policies=['policy-for-some-dudes'],
)
Listing LDAP User Mappings
--------------------------
:py:meth:`hvac.api.auth_methods.Ldap.list_users`
.. code:: python
import hvac
client = hvac.Client()
ldap_users = client.auth.ldap.list_users()
print('The following users are configured in the LDAP auth method: {users}'.format(
users=','.join(ldap_users['data']['keys'])
)
Reading a LDAP User Mapping
---------------------------
:py:meth:`hvac.api.auth_methods.Ldap.read_user`
.. code:: python
import hvac
client = hvac.Client()
some_dude_ldap_user = client.auth.ldap.read_user(
username='somedude'
)
print('The "somedude" user in the LDAP auth method is mapped to the following policies: {policies}'.format(
policies=','.join(some_dude_ldap_user['data']['policies'])
)
Deleting a Configured User Mapping
----------------------------------
:py:meth:`hvac.api.auth_methods.Ldap.delete_user`
.. code:: python
import hvac
client = hvac.Client()
client.auth.ldap.delete_user(
username='somedude',
)
Authentication / Login
----------------------
:py:meth:`hvac.api.auth_methods.Ldap.login_with_user`
For a LDAP backend mounted under a non-default (ldap) path.
E.g., via Vault CLI with `vault auth enable -path=prod-ldap ldap`
.. code:: python
from getpass import getpass
import hvac
service_account_username = 'someuser'
password_prompt = 'Please enter your password for the LDAP authentication backend: '
service_account_password = getpass(prompt=password_prompt)
client = hvac.Client()
# Here the mount_point parameter corresponds to the path provided when enabling the backend
client.auth.ldap.login(
username=service_account_username,
password=service_account_password,
mount_point='prod-ldap'
)
print(client.is_authenticated()) # => True
|
