1. Docs
  2. Reference
  3. API
  4. pulumi_vault
  5. ldap

ldap

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

class pulumi_vault.ldap.AuthBackend(resource_name, opts=None, binddn=None, bindpass=None, certificate=None, deny_null_bind=None, description=None, discoverdn=None, groupattr=None, groupdn=None, groupfilter=None, insecure_tls=None, path=None, starttls=None, tls_max_version=None, tls_min_version=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, upndomain=None, url=None, use_token_groups=None, userattr=None, userdn=None, __props__=None, __name__=None, __opts__=None)

Provides a resource for managing an LDAP auth backend within Vault.

import pulumi
import pulumi_vault as vault

ldap = vault.ldap.AuthBackend("ldap",
    discoverdn=False,
    groupdn="OU=Groups,DC=example,DC=org",
    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
    path="ldap",
    upndomain="EXAMPLE.ORG",
    url="ldaps://dc-01.example.org",
    userattr="sAMAccountName",
    userdn="OU=Users,OU=Accounts,DC=example,DC=org")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • binddn (pulumi.Input[str]) – DN of object to bind when performing user search

  • bindpass (pulumi.Input[str]) – Password to use with binddn when performing user search

  • certificate (pulumi.Input[str]) – Trusted CA to validate TLS certificate

  • description (pulumi.Input[str]) – Description for the LDAP auth backend mount

  • groupattr (pulumi.Input[str]) – LDAP attribute to follow on objects returned by groupfilter

  • groupdn (pulumi.Input[str]) – Base DN under which to perform group search

  • groupfilter (pulumi.Input[str]) – Go template used to construct group membership query

  • insecure_tls (pulumi.Input[bool]) – Control whether or TLS certificates must be validated

  • path (pulumi.Input[str]) – Path to mount the LDAP auth backend under

  • starttls (pulumi.Input[bool]) – Control use of TLS when conecting to LDAP

  • tls_max_version (pulumi.Input[str]) – Maximum acceptable version of TLS

  • tls_min_version (pulumi.Input[str]) – Minimum acceptable version of TLS

  • token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

  • token_explicit_max_ttl (pulumi.Input[float]) – If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

  • token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

  • token_num_uses (pulumi.Input[float]) – The period, if any, in number of seconds to set on the token.

  • token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

  • token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_type (pulumi.Input[str]) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

  • upndomain (pulumi.Input[str]) – The userPrincipalDomain used to construct UPN string

  • url (pulumi.Input[str]) – The URL of the LDAP server

  • use_token_groups (pulumi.Input[bool]) – Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships

  • userattr (pulumi.Input[str]) – Attribute on user object matching username passed in

  • userdn (pulumi.Input[str]) – Base DN under which to perform user search

accessor: pulumi.Output[str] = None

The accessor for this auth mount.

binddn: pulumi.Output[str] = None

DN of object to bind when performing user search

bindpass: pulumi.Output[str] = None

Password to use with binddn when performing user search

certificate: pulumi.Output[str] = None

Trusted CA to validate TLS certificate

description: pulumi.Output[str] = None

Description for the LDAP auth backend mount

groupattr: pulumi.Output[str] = None

LDAP attribute to follow on objects returned by groupfilter

groupdn: pulumi.Output[str] = None

Base DN under which to perform group search

groupfilter: pulumi.Output[str] = None

Go template used to construct group membership query

insecure_tls: pulumi.Output[bool] = None

Control whether or TLS certificates must be validated

path: pulumi.Output[str] = None

Path to mount the LDAP auth backend under

starttls: pulumi.Output[bool] = None

Control use of TLS when conecting to LDAP

tls_max_version: pulumi.Output[str] = None

Maximum acceptable version of TLS

tls_min_version: pulumi.Output[str] = None

Minimum acceptable version of TLS

token_bound_cidrs: pulumi.Output[list] = None

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl: pulumi.Output[float] = None

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_max_ttl: pulumi.Output[float] = None

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_no_default_policy: pulumi.Output[bool] = None

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses: pulumi.Output[float] = None

The period, if any, in number of seconds to set on the token.

token_period: pulumi.Output[float] = None

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

token_policies: pulumi.Output[list] = None

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_ttl: pulumi.Output[float] = None

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_type: pulumi.Output[str] = None

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

upndomain: pulumi.Output[str] = None

The userPrincipalDomain used to construct UPN string

url: pulumi.Output[str] = None

The URL of the LDAP server

use_token_groups: pulumi.Output[bool] = None

Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships

userattr: pulumi.Output[str] = None

Attribute on user object matching username passed in

userdn: pulumi.Output[str] = None

Base DN under which to perform user search

static get(resource_name, id, opts=None, accessor=None, binddn=None, bindpass=None, certificate=None, deny_null_bind=None, description=None, discoverdn=None, groupattr=None, groupdn=None, groupfilter=None, insecure_tls=None, path=None, starttls=None, tls_max_version=None, tls_min_version=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, upndomain=None, url=None, use_token_groups=None, userattr=None, userdn=None)

Get an existing AuthBackend resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • accessor (pulumi.Input[str]) – The accessor for this auth mount.

  • binddn (pulumi.Input[str]) – DN of object to bind when performing user search

  • bindpass (pulumi.Input[str]) – Password to use with binddn when performing user search

  • certificate (pulumi.Input[str]) – Trusted CA to validate TLS certificate

  • description (pulumi.Input[str]) – Description for the LDAP auth backend mount

  • groupattr (pulumi.Input[str]) – LDAP attribute to follow on objects returned by groupfilter

  • groupdn (pulumi.Input[str]) – Base DN under which to perform group search

  • groupfilter (pulumi.Input[str]) – Go template used to construct group membership query

  • insecure_tls (pulumi.Input[bool]) – Control whether or TLS certificates must be validated

  • path (pulumi.Input[str]) – Path to mount the LDAP auth backend under

  • starttls (pulumi.Input[bool]) – Control use of TLS when conecting to LDAP

  • tls_max_version (pulumi.Input[str]) – Maximum acceptable version of TLS

  • tls_min_version (pulumi.Input[str]) – Minimum acceptable version of TLS

  • token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

  • token_explicit_max_ttl (pulumi.Input[float]) –

    If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

  • token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

  • token_num_uses (pulumi.Input[float]) –

    The period, if any, in number of seconds to set on the token.

  • token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

  • token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_type (pulumi.Input[str]) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

  • upndomain (pulumi.Input[str]) – The userPrincipalDomain used to construct UPN string

  • url (pulumi.Input[str]) – The URL of the LDAP server

  • use_token_groups (pulumi.Input[bool]) – Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships

  • userattr (pulumi.Input[str]) – Attribute on user object matching username passed in

  • userdn (pulumi.Input[str]) – Base DN under which to perform user search

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.ldap.AuthBackendGroup(resource_name, opts=None, backend=None, groupname=None, policies=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to create a group in an LDAP auth backend within Vault.

import pulumi
import pulumi_vault as vault

ldap = vault.ldap.AuthBackend("ldap",
    discoverdn=False,
    groupdn="OU=Groups,DC=example,DC=org",
    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
    path="ldap",
    upndomain="EXAMPLE.ORG",
    url="ldaps://dc-01.example.org",
    userattr="sAMAccountName",
    userdn="OU=Users,OU=Accounts,DC=example,DC=org")
group = vault.ldap.AuthBackendGroup("group",
    backend=ldap.path,
    groupname="dba",
    policies=["dba"])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – Path to the authentication backend

  • groupname (pulumi.Input[str]) – The LDAP groupname

  • policies (pulumi.Input[list]) – Policies which should be granted to members of the group

backend: pulumi.Output[str] = None

Path to the authentication backend

groupname: pulumi.Output[str] = None

The LDAP groupname

policies: pulumi.Output[list] = None

Policies which should be granted to members of the group

static get(resource_name, id, opts=None, backend=None, groupname=None, policies=None)

Get an existing AuthBackendGroup resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – Path to the authentication backend

  • groupname (pulumi.Input[str]) – The LDAP groupname

  • policies (pulumi.Input[list]) – Policies which should be granted to members of the group

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.ldap.AuthBackendUser(resource_name, opts=None, backend=None, groups=None, policies=None, username=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to create a user in an LDAP auth backend within Vault.

import pulumi
import pulumi_vault as vault

ldap = vault.ldap.AuthBackend("ldap",
    discoverdn=False,
    groupdn="OU=Groups,DC=example,DC=org",
    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
    path="ldap",
    upndomain="EXAMPLE.ORG",
    url="ldaps://dc-01.example.org",
    userattr="sAMAccountName",
    userdn="OU=Users,OU=Accounts,DC=example,DC=org")
user = vault.ldap.AuthBackendUser("user",
    backend=ldap.path,
    policies=[
        "dba",
        "sysops",
    ],
    username="test-user")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – Path to the authentication backend

  • groups (pulumi.Input[list]) – Override LDAP groups which should be granted to user

  • policies (pulumi.Input[list]) – Policies which should be granted to user

  • username (pulumi.Input[str]) – The LDAP username

backend: pulumi.Output[str] = None

Path to the authentication backend

groups: pulumi.Output[list] = None

Override LDAP groups which should be granted to user

policies: pulumi.Output[list] = None

Policies which should be granted to user

username: pulumi.Output[str] = None

The LDAP username

static get(resource_name, id, opts=None, backend=None, groups=None, policies=None, username=None)

Get an existing AuthBackendUser resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – Path to the authentication backend

  • groups (pulumi.Input[list]) – Override LDAP groups which should be granted to user

  • policies (pulumi.Input[list]) – Policies which should be granted to user

  • username (pulumi.Input[str]) – The LDAP username

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str