mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-25 12:41:10 +01:00
Code Issues Projects Releases Wiki Activity
4,870 Commits 2,848 Branches 460 Tags
Commit Graph

74 Commits

Author SHA1 Message Date
Brian Nuszkowski
4a5ecd5d6c Disallow passwords LDAP binds by default (#2103) 2016-12-01 10:11:40 -08:00
Thomas Soëte
a5bc54cbbf Close ldap connection to avoid leak (#2130) 2016-11-28 09:31:36 -08:00
Glenn McAllister
4bb7c96827 Add ldap tls_max_version config (#2060) 2016-11-07 13:43:39 -05:00
vishalnayak
60b638f3b2 Deduplicate the policies in ldap backend 2016-10-14 17:20:50 -04:00
Jeff Mitchell
c748ff322f Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Jeff Mitchell
68345eb770 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell
373e42d60c Return warning about ACLing the LDAP configuration endpoint. 
Fixes #1263
 2016-08-08 10:18:36 -04:00
Jeff Mitchell
d466462b8d Fix re-specification of filter 2016-07-25 09:08:29 -04:00
Oren Shomron
005cb3e042 LDAP Auth Backend Overhaul 
--------------------------

Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.

Simplified group membership lookup significantly to support multiple use-cases:
  * Enumerating groups via memberOf attribute on user object
  * Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
  * Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule

There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.

Additional changes:
  * Clarify documentation for LDAP auth backend.
  * Reworked how default values are set, added tests
  * Removed Dial from LDAP config read. Network should not affect configuration.
 2016-07-22 21:20:05 -04:00
vishalnayak
6977bdd490 Handled upgrade path for TLSMinVersion 2016-07-13 12:42:51 -04:00
vishalnayak
98d5684699 Address review feedback 2016-07-13 11:52:26 -04:00
vishalnayak
150cba24a7 Added tls_min_version to consul storage backend 2016-07-12 20:10:54 -04:00
vishalnayak
ee6ba1e85e Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak
f200a8568b Set minimum TLS version in all tls.Config objects 2016-07-12 17:06:28 -04:00
vishalnayak
cfe0aa860e Backend() functions should return 'backend' objects. 
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
 2016-06-10 15:53:02 -04:00
Jeff Mitchell
74a1e3bd61 Remove most Root paths 2016-05-31 23:42:54 +00:00
vishalnayak
80faa2f4ed s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends 2016-05-26 10:21:03 -04:00
Jeff Mitchell
0b7e8cf1c8 Merge pull request #1245 from LeonDaniel/master 
Improved groups search for LDAP login
 2016-05-19 12:13:29 -04:00
Oren Shomron
24ae32f10d Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 20:00:40 -04:00
leon
7caa667fef - updated refactored functions in ldap backend to return error instead of ldap response and fixed interrupted search in ldap groups search func 2016-04-27 18:17:54 +03:00
leon
df7723bb38 - refactored functionality in separate functions in ldap backend and used a separate ldap query to get ldap groups from userDN 2016-04-27 15:00:26 +03:00
leon
2d31a064f3 - fixed merge with upstream master 2016-04-26 13:23:43 +03:00
leon
ea2efb6531 Merge remote-tracking branch 'upstream/master' 
Conflicts:
	builtin/credential/ldap/backend.go
 2016-04-26 13:16:42 +03:00
vishalnayak
5f1829af67 Utility Enhancements 2016-04-05 20:32:59 -04:00
vishalnayak
ac5ceae0bd Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell
f5f9c098b7 Some fixups around error/warning in LDAP 2016-04-02 13:33:00 -04:00
Jeff Mitchell
aca4e79ac6 If no group DN is configured, still look for policies on local users and 
return a warning, rather than just trying to do an LDAP search on an
empty string.
 2016-04-02 13:11:36 -04:00
Jeff Mitchell
aa6a5fa25b Fix potential error scoping issue. 
Ping #1262
 2016-03-30 19:48:23 -04:00
Jeff Mitchell
8926a7c7c7 Check for nil connection back from go-ldap, which apparently can happen even with no error 
Ping #1262
 2016-03-29 10:00:04 -04:00
Jeff Mitchell
7ce9701800 Properly check for policy equivalency during renewal. 
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.

Fixes #1256
 2016-03-24 09:41:51 -04:00
leon
8ebacbc563 - updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 19:44:08 +02:00
leon
df96234ac9 - added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 16:55:38 +02:00
Jeff Mitchell
7ef904b930 Use better error message on LDAP renew failure 2016-03-07 09:34:16 -05:00
Jeff Mitchell
65494f8268 Merge pull request #1100 from hashicorp/issue-1030 
Properly escape filter values in LDAP filters
 2016-02-19 14:56:40 -05:00
Jeff Mitchell
73e84b8c38 Address some feedback on ldap escaping help text 2016-02-19 13:47:26 -05:00
Jeff Mitchell
a2aad0bbd6 Properly escape filter values. 
Fixes #1030
 2016-02-19 13:16:52 -05:00
Jeff Mitchell
331f57c082 Update LDAP documentation with a note on escaping 2016-02-19 13:16:18 -05:00
Jeff Mitchell
6ef35dcbb7 Add tests to ldap using the discover capability 2016-02-19 11:46:59 -05:00
Jeff Mitchell
7458084e09 Add ldap tests that use a bind dn and bind password 2016-02-19 11:38:27 -05:00
Jeff Mitchell
2eb08d3bde Make backends much more consistent: 
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
 2016-01-29 20:03:37 -05:00
Hanno Hecker
ba9b20d275 discover bind dn with anonymous binds 2016-01-27 17:06:27 +01:00
Hanno Hecker
a702f849bc fix stupid c&p error 2016-01-26 16:15:25 +01:00
Hanno Hecker
11aee85c0b add binddn/bindpath to search for the users bind DN 2016-01-26 15:56:41 +01:00
Jeff Mitchell
45e32756ea WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell
5c73e779c4 Add StaticSystemView to LDAP acceptance tests 2015-10-06 15:48:10 -04:00
Bradley Girardeau
7b6547abf7 Clean up naming and add documentation 2015-07-30 17:36:40 -07:00
Bradley Girardeau
083226f317 mfa: improve edge cases and documentation 2015-07-27 21:14:00 -07:00
Bradley Girardeau
85a4d740b5 ldap: add mfa support to CLI 2015-07-27 21:14:00 -07:00
Bradley Girardeau
5afc6115c7 ldap: add mfa to LDAP login 2015-07-27 21:14:00 -07:00
Bradley Girardeau
709b91fbd1 ldap: change setting user policies to setting user groups 2015-07-20 11:33:39 -07:00