1. Docs
2. Reference
3. API
4. @pulumi/vault
5. ldap

Module ldap

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Resources

• AuthBackend
• AuthBackendGroup
• AuthBackendUser

Others

• AuthBackendArgs
• AuthBackendGroupArgs
• AuthBackendGroupState
• AuthBackendState
• AuthBackendUserArgs
• AuthBackendUserState

Resources

Resource AuthBackend

class AuthBackend extends CustomResource

Provides a resource for managing an LDAP auth backend within Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const ldap = new vault.ldap.AuthBackend("ldap", {
    discoverdn: false,
    groupdn: "OU=Groups,DC=example,DC=org",
    groupfilter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
    path: "ldap",
    upndomain: "EXAMPLE.ORG",
    url: "ldaps://dc-01.example.org",
    userattr: "sAMAccountName",
    userdn: "OU=Users,OU=Accounts,DC=example,DC=org",
});

constructor

new AuthBackend(name: string, args: AuthBackendArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackend resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendState, opts?: pulumi.CustomResourceOptions): AuthBackend

Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackend

Returns true if the given object is an instance of AuthBackend. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessor

public accessor: pulumi.Output<string>;

The accessor for this auth mount.

property binddn

public binddn: pulumi.Output<string>;

DN of object to bind when performing user search

property bindpass

public bindpass: pulumi.Output<string>;

Password to use with binddn when performing user search

property certificate

public certificate: pulumi.Output<string>;

Trusted CA to validate TLS certificate

property denyNullBind

public denyNullBind: pulumi.Output<boolean>;

property description

public description: pulumi.Output<string>;

Description for the LDAP auth backend mount

property discoverdn

public discoverdn: pulumi.Output<boolean>;

property groupattr

public groupattr: pulumi.Output<string>;

LDAP attribute to follow on objects returned by groupfilter

property groupdn

public groupdn: pulumi.Output<string>;

Base DN under which to perform group search

property groupfilter

public groupfilter: pulumi.Output<string>;

Go template used to construct group membership query

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property insecureTls

public insecureTls: pulumi.Output<boolean>;

Control whether or TLS certificates must be validated

property path

public path: pulumi.Output<string | undefined>;

Path to mount the LDAP auth backend under

property starttls

public starttls: pulumi.Output<boolean>;

Control use of TLS when conecting to LDAP

property tlsMaxVersion

public tlsMaxVersion: pulumi.Output<string>;

Maximum acceptable version of TLS

property tlsMinVersion

public tlsMinVersion: pulumi.Output<string>;

Minimum acceptable version of TLS

property tokenBoundCidrs

public tokenBoundCidrs: pulumi.Output<string[] | undefined>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

public tokenExplicitMaxTtl: pulumi.Output<number | undefined>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

public tokenMaxTtl: pulumi.Output<number | undefined>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

public tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

public tokenNumUses: pulumi.Output<number | undefined>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

public tokenPeriod: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

public tokenPolicies: pulumi.Output<string[] | undefined>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

public tokenTtl: pulumi.Output<number | undefined>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

public tokenType: pulumi.Output<string | undefined>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property upndomain

public upndomain: pulumi.Output<string>;

The userPrincipalDomain used to construct UPN string

property url

public url: pulumi.Output<string>;

The URL of the LDAP server

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property useTokenGroups

public useTokenGroups: pulumi.Output<boolean>;

Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships

property userattr

public userattr: pulumi.Output<string>;

Attribute on user object matching username passed in

property userdn

public userdn: pulumi.Output<string>;

Base DN under which to perform user search

Resource AuthBackendGroup

class AuthBackendGroup extends CustomResource

Provides a resource to create a group in an LDAP auth backend within Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const ldap = new vault.ldap.AuthBackend("ldap", {
    discoverdn: false,
    groupdn: "OU=Groups,DC=example,DC=org",
    groupfilter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
    path: "ldap",
    upndomain: "EXAMPLE.ORG",
    url: "ldaps://dc-01.example.org",
    userattr: "sAMAccountName",
    userdn: "OU=Users,OU=Accounts,DC=example,DC=org",
});
const group = new vault.ldap.AuthBackendGroup("group", {
    backend: ldap.path,
    groupname: "dba",
    policies: ["dba"],
});

constructor

new AuthBackendGroup(name: string, args: AuthBackendGroupArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendGroup resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendGroupState, opts?: pulumi.CustomResourceOptions): AuthBackendGroup

Get an existing AuthBackendGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendGroup

Returns true if the given object is an instance of AuthBackendGroup. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string | undefined>;

Path to the authentication backend

property groupname

public groupname: pulumi.Output<string>;

The LDAP groupname

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policies

public policies: pulumi.Output<string[]>;

Policies which should be granted to members of the group

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendUser

class AuthBackendUser extends CustomResource

Provides a resource to create a user in an LDAP auth backend within Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const ldap = new vault.ldap.AuthBackend("ldap", {
    discoverdn: false,
    groupdn: "OU=Groups,DC=example,DC=org",
    groupfilter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
    path: "ldap",
    upndomain: "EXAMPLE.ORG",
    url: "ldaps://dc-01.example.org",
    userattr: "sAMAccountName",
    userdn: "OU=Users,OU=Accounts,DC=example,DC=org",
});
const user = new vault.ldap.AuthBackendUser("user", {
    backend: ldap.path,
    policies: [
        "dba",
        "sysops",
    ],
    username: "test-user",
});

constructor

new AuthBackendUser(name: string, args: AuthBackendUserArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendUser resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendUserState, opts?: pulumi.CustomResourceOptions): AuthBackendUser

Get an existing AuthBackendUser resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendUser

Returns true if the given object is an instance of AuthBackendUser. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string | undefined>;

Path to the authentication backend

property groups

public groups: pulumi.Output<string[]>;

Override LDAP groups which should be granted to user

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policies

public policies: pulumi.Output<string[]>;

Policies which should be granted to user

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property username

public username: pulumi.Output<string>;

The LDAP username

Others

interface AuthBackendArgs

interface AuthBackendArgs

The set of arguments for constructing a AuthBackend resource.

property binddn

binddn?: pulumi.Input<string>;

DN of object to bind when performing user search

property bindpass

bindpass?: pulumi.Input<string>;

Password to use with binddn when performing user search

property certificate

certificate?: pulumi.Input<string>;

Trusted CA to validate TLS certificate

property denyNullBind

denyNullBind?: pulumi.Input<boolean>;

property description

description?: pulumi.Input<string>;

Description for the LDAP auth backend mount

property discoverdn

discoverdn?: pulumi.Input<boolean>;

property groupattr

groupattr?: pulumi.Input<string>;

LDAP attribute to follow on objects returned by groupfilter

property groupdn

groupdn?: pulumi.Input<string>;

Base DN under which to perform group search

property groupfilter

groupfilter?: pulumi.Input<string>;

Go template used to construct group membership query

property insecureTls

insecureTls?: pulumi.Input<boolean>;

Control whether or TLS certificates must be validated

property path

path?: pulumi.Input<string>;

Path to mount the LDAP auth backend under

property starttls

starttls?: pulumi.Input<boolean>;

Control use of TLS when conecting to LDAP

property tlsMaxVersion

tlsMaxVersion?: pulumi.Input<string>;

Maximum acceptable version of TLS

property tlsMinVersion

tlsMinVersion?: pulumi.Input<string>;

Minimum acceptable version of TLS

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property upndomain

upndomain?: pulumi.Input<string>;

The userPrincipalDomain used to construct UPN string

property url

url: pulumi.Input<string>;

The URL of the LDAP server

property useTokenGroups

useTokenGroups?: pulumi.Input<boolean>;

Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships

property userattr

userattr?: pulumi.Input<string>;

Attribute on user object matching username passed in

property userdn

userdn?: pulumi.Input<string>;

Base DN under which to perform user search

interface AuthBackendGroupArgs

interface AuthBackendGroupArgs

The set of arguments for constructing a AuthBackendGroup resource.

property backend

backend?: pulumi.Input<string>;

Path to the authentication backend

property groupname

groupname: pulumi.Input<string>;

The LDAP groupname

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

Policies which should be granted to members of the group

interface AuthBackendGroupState

interface AuthBackendGroupState

Input properties used for looking up and filtering AuthBackendGroup resources.

property backend

backend?: pulumi.Input<string>;

Path to the authentication backend

property groupname

groupname?: pulumi.Input<string>;

The LDAP groupname

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

Policies which should be granted to members of the group

interface AuthBackendState

interface AuthBackendState

Input properties used for looking up and filtering AuthBackend resources.

property accessor

accessor?: pulumi.Input<string>;

The accessor for this auth mount.

property binddn

binddn?: pulumi.Input<string>;

DN of object to bind when performing user search

property bindpass

bindpass?: pulumi.Input<string>;

Password to use with binddn when performing user search

property certificate

certificate?: pulumi.Input<string>;

Trusted CA to validate TLS certificate

property denyNullBind

denyNullBind?: pulumi.Input<boolean>;

property description

description?: pulumi.Input<string>;

Description for the LDAP auth backend mount

property discoverdn

discoverdn?: pulumi.Input<boolean>;

property groupattr

groupattr?: pulumi.Input<string>;

LDAP attribute to follow on objects returned by groupfilter

property groupdn

groupdn?: pulumi.Input<string>;

Base DN under which to perform group search

property groupfilter

groupfilter?: pulumi.Input<string>;

Go template used to construct group membership query

property insecureTls

insecureTls?: pulumi.Input<boolean>;

Control whether or TLS certificates must be validated

property path

path?: pulumi.Input<string>;

Path to mount the LDAP auth backend under

property starttls

starttls?: pulumi.Input<boolean>;

Control use of TLS when conecting to LDAP

property tlsMaxVersion

tlsMaxVersion?: pulumi.Input<string>;

Maximum acceptable version of TLS

property tlsMinVersion

tlsMinVersion?: pulumi.Input<string>;

Minimum acceptable version of TLS

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property upndomain

upndomain?: pulumi.Input<string>;

The userPrincipalDomain used to construct UPN string

property url

url?: pulumi.Input<string>;

The URL of the LDAP server

property useTokenGroups

useTokenGroups?: pulumi.Input<boolean>;

Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships

property userattr

userattr?: pulumi.Input<string>;

Attribute on user object matching username passed in

property userdn

userdn?: pulumi.Input<string>;

Base DN under which to perform user search

interface AuthBackendUserArgs

interface AuthBackendUserArgs

The set of arguments for constructing a AuthBackendUser resource.

property backend

backend?: pulumi.Input<string>;

Path to the authentication backend

property groups

groups?: pulumi.Input<pulumi.Input<string>[]>;

Override LDAP groups which should be granted to user

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

Policies which should be granted to user

property username

username: pulumi.Input<string>;

The LDAP username

interface AuthBackendUserState

interface AuthBackendUserState

Input properties used for looking up and filtering AuthBackendUser resources.

property backend

backend?: pulumi.Input<string>;

Path to the authentication backend

property groups

groups?: pulumi.Input<pulumi.Input<string>[]>;

Override LDAP groups which should be granted to user

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

Policies which should be granted to user

property username

username?: pulumi.Input<string>;

The LDAP username