File: ldap.rst

package info (click to toggle)
python-hvac 2.3.0-5
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 2,800 kB
  • sloc: python: 29,360; makefile: 42; sh: 14
file content (181 lines) | stat: -rw-r--r-- 4,985 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
 
LDAP
================

.. contents::

Configure LDAP Secrets Secrets Engine
-------------------------------------

Configure the LDAP secrets engine to either manage service accounts or service account libraries.

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.configure`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    # Not all these settings may apply to your setup, refer to Vault
    # documentation for context of what to use here

    config_response = client.secrets.ldap.configure(
        binddn='username@domain.fqdn', # A upn or DN can be used for this value, Vault resolves the user to a dn silently
        bindpass='***********',
        url='ldaps://domain.fqdn',
        userdn='cn=Users,dn=domain,dn=fqdn',
        upndomain='domain.fqdn',
        userattr="cn",
        schema="openldap"
    )
    print(config_response)


Read Config
-----------

Return the LDAP Secret Engine configuration.

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.read_config`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    config_response = client.secrets.ldap.read_config()


Rotate Root
---------------------------

Rotate the password for the binddn entry used to manage LDAP. This generated password will only be known to Vault and will not be retrievable once rotated.

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.rotate_root`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    rotate_response = client.secrets.ldap.rotate_root()


Create or Update Static Role
----------------------------

Create or Update a role which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.create_or_update_static_role`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    role_response = client.secrets.ldap.create_or_update_static_role(
        name='hvac-role',
        username='sql-service-account',
        dn='cn=sql-service-account,dc=petshop,dc=com',
        rotation_period="60s")


Read Static Role
----------------

Retrieve the role configuration which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.read_static_role`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    role_response = client.secrets.ldap.read_static_role(name='sql-service-account')


List Static Roles
-----------------

List all configured roles which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.list_static_roles`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    all_static_roles = client.secrets.ldap.list_static_roles()


Delete Static Role
------------------

Remove the role configuration which allows the retrieval and rotation of an LDAP account. 

Passwords are not rotated upon deletion of a static role. The password should be manually rotated prior to deleting the role or revoking access to the static role.

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.delete_static_role`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    deletion_response = client.secrets.ldap.delete_static_role(name='sql-service-account')


Generate Static Credentials
---------------------------

Retrieve a service account password from LDAP. Return the previous password (if known). Vault shall rotate
the password before returning it, if it has breached its configured ttl.

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.generate_static_credentials`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    gen_creds_response = client.secrets.ldap.generate_static_credentials(
        name='hvac-role',
    )
    print('Retrieved Service Account Password: {access} (Current) / {secret} (Old)'.format(
        access=gen_creds_response['data']['current_password'],
        secret=gen_creds_response['data']['old_password'],
    ))


Rotate Static Credentials
---------------------------

Manually rotate the password of an existing role.

Source reference: :py:meth:`hvac.api.secrets_engines.ldap.rotate_static_credentials`

.. code:: python

    import hvac
    client = hvac.Client()

    # Authenticate to Vault using client.auth.x

    rotate_response = client.secrets.ldap.rotate_static_credentials(name='hvac-role')