AuthBackend
Provides a resource for managing an LDAP auth backend within Vault.
Example Usage
using Pulumi;
using Vault = Pulumi.Vault;
class MyStack : Stack
{
public MyStack()
{
var ldap = new Vault.Ldap.AuthBackend("ldap", new Vault.Ldap.AuthBackendArgs
{
Discoverdn = false,
Groupdn = "OU=Groups,DC=example,DC=org",
Groupfilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
Path = "ldap",
Upndomain = "EXAMPLE.ORG",
Url = "ldaps://dc-01.example.org",
Userattr = "sAMAccountName",
Userdn = "OU=Users,OU=Accounts,DC=example,DC=org",
});
}
}
Coming soon!
import pulumi
import pulumi_vault as vault
ldap = vault.ldap.AuthBackend("ldap",
discoverdn=False,
groupdn="OU=Groups,DC=example,DC=org",
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
path="ldap",
upndomain="EXAMPLE.ORG",
url="ldaps://dc-01.example.org",
userattr="sAMAccountName",
userdn="OU=Users,OU=Accounts,DC=example,DC=org")import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const ldap = new vault.ldap.AuthBackend("ldap", {
discoverdn: false,
groupdn: "OU=Groups,DC=example,DC=org",
groupfilter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
path: "ldap",
upndomain: "EXAMPLE.ORG",
url: "ldaps://dc-01.example.org",
userattr: "sAMAccountName",
userdn: "OU=Users,OU=Accounts,DC=example,DC=org",
});Create a AuthBackend Resource
new AuthBackend(name: string, args: AuthBackendArgs, opts?: CustomResourceOptions);def AuthBackend(resource_name, opts=None, binddn=None, bindpass=None, certificate=None, deny_null_bind=None, description=None, discoverdn=None, groupattr=None, groupdn=None, groupfilter=None, insecure_tls=None, path=None, starttls=None, tls_max_version=None, tls_min_version=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, upndomain=None, url=None, use_token_groups=None, userattr=None, userdn=None, __props__=None);func NewAuthBackend(ctx *Context, name string, args AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)public AuthBackend(string name, AuthBackendArgs args, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
AuthBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The AuthBackend resource accepts the following input properties:
- Url string
The URL of the LDAP server
- Binddn string
DN of object to bind when performing user search
- Bindpass string
Password to use with
binddnwhen performing user search- Certificate string
Trusted CA to validate TLS certificate
- Deny
Null boolBind - Description string
Description for the LDAP auth backend mount
- Discoverdn bool
- Groupattr string
LDAP attribute to follow on objects returned by groupfilter
- Groupdn string
Base DN under which to perform group search
- Groupfilter string
Go template used to construct group membership query
- Insecure
Tls bool Control whether or TLS certificates must be validated
- Path string
Path to mount the LDAP auth backend under
- Starttls bool
Control use of TLS when conecting to LDAP
- Tls
Max stringVersion Maximum acceptable version of TLS
- Tls
Min stringVersion Minimum acceptable version of TLS
- Token
Bound List<string>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttlandtoken_max_ttlwould otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The period, if any, in number of seconds to set on the token.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
- Token
Policies List<string> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.- Upndomain string
The userPrincipalDomain used to construct UPN string
- Use
Token boolGroups Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
- Userattr string
Attribute on user object matching username passed in
- Userdn string
Base DN under which to perform user search
- Url string
The URL of the LDAP server
- Binddn string
DN of object to bind when performing user search
- Bindpass string
Password to use with
binddnwhen performing user search- Certificate string
Trusted CA to validate TLS certificate
- Deny
Null boolBind - Description string
Description for the LDAP auth backend mount
- Discoverdn bool
- Groupattr string
LDAP attribute to follow on objects returned by groupfilter
- Groupdn string
Base DN under which to perform group search
- Groupfilter string
Go template used to construct group membership query
- Insecure
Tls bool Control whether or TLS certificates must be validated
- Path string
Path to mount the LDAP auth backend under
- Starttls bool
Control use of TLS when conecting to LDAP
- Tls
Max stringVersion Maximum acceptable version of TLS
- Tls
Min stringVersion Minimum acceptable version of TLS
- Token
Bound []stringCidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttlandtoken_max_ttlwould otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The period, if any, in number of seconds to set on the token.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
- Token
Policies []string List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.- Upndomain string
The userPrincipalDomain used to construct UPN string
- Use
Token boolGroups Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
- Userattr string
Attribute on user object matching username passed in
- Userdn string
Base DN under which to perform user search
- url string
The URL of the LDAP server
- binddn string
DN of object to bind when performing user search
- bindpass string
Password to use with
binddnwhen performing user search- certificate string
Trusted CA to validate TLS certificate
- deny
Null booleanBind - description string
Description for the LDAP auth backend mount
- discoverdn boolean
- groupattr string
LDAP attribute to follow on objects returned by groupfilter
- groupdn string
Base DN under which to perform group search
- groupfilter string
Go template used to construct group membership query
- insecure
Tls boolean Control whether or TLS certificates must be validated
- path string
Path to mount the LDAP auth backend under
- starttls boolean
Control use of TLS when conecting to LDAP
- tls
Max stringVersion Maximum acceptable version of TLS
- tls
Min stringVersion Minimum acceptable version of TLS
- token
Bound string[]Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit numberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttlandtoken_max_ttlwould otherwise allow a renewal.- token
Max numberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No booleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num numberUses The period, if any, in number of seconds to set on the token.
- token
Period number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
- token
Policies string[] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type string The type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.- upndomain string
The userPrincipalDomain used to construct UPN string
- use
Token booleanGroups Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
- userattr string
Attribute on user object matching username passed in
- userdn string
Base DN under which to perform user search
- url str
The URL of the LDAP server
- binddn str
DN of object to bind when performing user search
- bindpass str
Password to use with
binddnwhen performing user search- certificate str
Trusted CA to validate TLS certificate
- deny_
null_ boolbind - description str
Description for the LDAP auth backend mount
- discoverdn bool
- groupattr str
LDAP attribute to follow on objects returned by groupfilter
- groupdn str
Base DN under which to perform group search
- groupfilter str
Go template used to construct group membership query
- insecure_
tls bool Control whether or TLS certificates must be validated
- path str
Path to mount the LDAP auth backend under
- starttls bool
Control use of TLS when conecting to LDAP
- tls_
max_ strversion Maximum acceptable version of TLS
- tls_
min_ strversion Minimum acceptable version of TLS
- token_
bound_ List[str]cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_
explicit_ floatmax_ ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttlandtoken_max_ttlwould otherwise allow a renewal.- token_
max_ floatttl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
no_ booldefault_ policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token_
num_ floatuses The period, if any, in number of seconds to set on the token.
- token_
period float If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
- token_
policies List[str] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_
ttl float The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
type str The type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.- upndomain str
The userPrincipalDomain used to construct UPN string
- use_
token_ boolgroups Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
- userattr str
Attribute on user object matching username passed in
- userdn str
Base DN under which to perform user search
Outputs
All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:
Look up an Existing AuthBackend Resource
Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackendstatic get(resource_name, id, opts=None, accessor=None, binddn=None, bindpass=None, certificate=None, deny_null_bind=None, description=None, discoverdn=None, groupattr=None, groupdn=None, groupfilter=None, insecure_tls=None, path=None, starttls=None, tls_max_version=None, tls_min_version=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, upndomain=None, url=None, use_token_groups=None, userattr=None, userdn=None, __props__=None);func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Accessor string
The accessor for this auth mount.
- Binddn string
DN of object to bind when performing user search
- Bindpass string
Password to use with
binddnwhen performing user search- Certificate string
Trusted CA to validate TLS certificate
- Deny
Null boolBind - Description string
Description for the LDAP auth backend mount
- Discoverdn bool
- Groupattr string
LDAP attribute to follow on objects returned by groupfilter
- Groupdn string
Base DN under which to perform group search
- Groupfilter string
Go template used to construct group membership query
- Insecure
Tls bool Control whether or TLS certificates must be validated
- Path string
Path to mount the LDAP auth backend under
- Starttls bool
Control use of TLS when conecting to LDAP
- Tls
Max stringVersion Maximum acceptable version of TLS
- Tls
Min stringVersion Minimum acceptable version of TLS
- Token
Bound List<string>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttlandtoken_max_ttlwould otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The period, if any, in number of seconds to set on the token.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
- Token
Policies List<string> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.- Upndomain string
The userPrincipalDomain used to construct UPN string
- Url string
The URL of the LDAP server
- Use
Token boolGroups Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
- Userattr string
Attribute on user object matching username passed in
- Userdn string
Base DN under which to perform user search
- Accessor string
The accessor for this auth mount.
- Binddn string
DN of object to bind when performing user search
- Bindpass string
Password to use with
binddnwhen performing user search- Certificate string
Trusted CA to validate TLS certificate
- Deny
Null boolBind - Description string
Description for the LDAP auth backend mount
- Discoverdn bool
- Groupattr string
LDAP attribute to follow on objects returned by groupfilter
- Groupdn string
Base DN under which to perform group search
- Groupfilter string
Go template used to construct group membership query
- Insecure
Tls bool Control whether or TLS certificates must be validated
- Path string
Path to mount the LDAP auth backend under
- Starttls bool
Control use of TLS when conecting to LDAP
- Tls
Max stringVersion Maximum acceptable version of TLS
- Tls
Min stringVersion Minimum acceptable version of TLS
- Token
Bound []stringCidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttlandtoken_max_ttlwould otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The period, if any, in number of seconds to set on the token.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
- Token
Policies []string List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.- Upndomain string
The userPrincipalDomain used to construct UPN string
- Url string
The URL of the LDAP server
- Use
Token boolGroups Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
- Userattr string
Attribute on user object matching username passed in
- Userdn string
Base DN under which to perform user search
- accessor string
The accessor for this auth mount.
- binddn string
DN of object to bind when performing user search
- bindpass string
Password to use with
binddnwhen performing user search- certificate string
Trusted CA to validate TLS certificate
- deny
Null booleanBind - description string
Description for the LDAP auth backend mount
- discoverdn boolean
- groupattr string
LDAP attribute to follow on objects returned by groupfilter
- groupdn string
Base DN under which to perform group search
- groupfilter string
Go template used to construct group membership query
- insecure
Tls boolean Control whether or TLS certificates must be validated
- path string
Path to mount the LDAP auth backend under
- starttls boolean
Control use of TLS when conecting to LDAP
- tls
Max stringVersion Maximum acceptable version of TLS
- tls
Min stringVersion Minimum acceptable version of TLS
- token
Bound string[]Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit numberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttlandtoken_max_ttlwould otherwise allow a renewal.- token
Max numberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No booleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num numberUses The period, if any, in number of seconds to set on the token.
- token
Period number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
- token
Policies string[] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type string The type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.- upndomain string
The userPrincipalDomain used to construct UPN string
- url string
The URL of the LDAP server
- use
Token booleanGroups Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
- userattr string
Attribute on user object matching username passed in
- userdn string
Base DN under which to perform user search
- accessor str
The accessor for this auth mount.
- binddn str
DN of object to bind when performing user search
- bindpass str
Password to use with
binddnwhen performing user search- certificate str
Trusted CA to validate TLS certificate
- deny_
null_ boolbind - description str
Description for the LDAP auth backend mount
- discoverdn bool
- groupattr str
LDAP attribute to follow on objects returned by groupfilter
- groupdn str
Base DN under which to perform group search
- groupfilter str
Go template used to construct group membership query
- insecure_
tls bool Control whether or TLS certificates must be validated
- path str
Path to mount the LDAP auth backend under
- starttls bool
Control use of TLS when conecting to LDAP
- tls_
max_ strversion Maximum acceptable version of TLS
- tls_
min_ strversion Minimum acceptable version of TLS
- token_
bound_ List[str]cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_
explicit_ floatmax_ ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttlandtoken_max_ttlwould otherwise allow a renewal.- token_
max_ floatttl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
no_ booldefault_ policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token_
num_ floatuses The period, if any, in number of seconds to set on the token.
- token_
period float If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
- token_
policies List[str] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_
ttl float The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
type str The type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.- upndomain str
The userPrincipalDomain used to construct UPN string
- url str
The URL of the LDAP server
- use_
token_ boolgroups Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
- userattr str
Attribute on user object matching username passed in
- userdn str
Base DN under which to perform user search
Package Details
- Repository
- https://github.com/pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.