mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-30 02:51:07 +02:00
Code Issues Projects Releases Wiki Activity
5,920 Commits 2,839 Branches 446 Tags
Commit Graph

89 Commits

Author SHA1 Message Date
Ben Gadbois
f80c851681 Fixing printf (and similar) issues (#2666) 2017-05-01 23:34:10 -04:00
Chris Hoffman
c4cc3fd96e Do not lowercase groups attached to users in ldap (#2613) 2017-04-19 10:36:45 -04:00
Mitch Davis
a20815972c Use service bind for searching LDAP groups (#2534) 
Fixes #2387
 2017-04-18 15:52:05 -04:00
Jeff Mitchell
cfd522e0f0 Use ParseStringSlice on PKI organization/organizational unit. (#2561) 
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
 2017-04-04 08:54:18 -07:00
vishalnayak
8b9f3a0b49 use net.JoinHostPort 2017-02-08 18:39:09 -05:00
Jeff Mitchell
c01d394a8d Add support for backup/multiple LDAP URLs. (#2350) 2017-02-08 14:59:24 -08:00
Jeff Mitchell
50ddab2a60 Merge pull request #2154 from fcantournet/default-ldap-username 
ldap auth via cli defaults username to env (#2137)
 2017-02-07 21:47:59 -08:00
Jeff Mitchell
9b96276ec1 Use Getenv instead of LookupEnv 
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
 2017-02-07 21:47:06 -08:00
Jeff Mitchell
aba31b7092 Update error text 2017-02-07 21:44:23 -08:00
Vishal Nayak
b706ec9506 ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 10:56:43 -05:00
Vishal Nayak
bbd6ec8841 Merge pull request #2152 from mr-tron/master 
Thanks for submitting this. I am going to merge this in and write tests.
 2017-01-13 14:29:46 -05:00
Jeff Mitchell
f56eae5e0d Don't panic when TLS is enabled but the initial dial doesn't return a connection (#2188) 
Related to #2186
 2016-12-15 15:49:30 -05:00
Félix Cantournet
7bfecbd181 ldap auth via cli defaults username to env (#2137) 
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
 2016-12-02 19:08:32 +01:00
Brian Nuszkowski
4a5ecd5d6c Disallow passwords LDAP binds by default (#2103) 2016-12-01 10:11:40 -08:00
Denis Subbotin
34fd141771 fix checking that users policies is not nil 2016-11-29 16:35:49 +03:00
Denis Subbotin
876c50539f add support per user acl for ldap users 2016-11-29 13:32:59 +03:00
Thomas Soëte
a5bc54cbbf Close ldap connection to avoid leak (#2130) 2016-11-28 09:31:36 -08:00
Glenn McAllister
4bb7c96827 Add ldap tls_max_version config (#2060) 2016-11-07 13:43:39 -05:00
vishalnayak
60b638f3b2 Deduplicate the policies in ldap backend 2016-10-14 17:20:50 -04:00
Jeff Mitchell
c748ff322f Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Jeff Mitchell
68345eb770 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell
373e42d60c Return warning about ACLing the LDAP configuration endpoint. 
Fixes #1263
 2016-08-08 10:18:36 -04:00
Jeff Mitchell
d466462b8d Fix re-specification of filter 2016-07-25 09:08:29 -04:00
Oren Shomron
005cb3e042 LDAP Auth Backend Overhaul 
--------------------------

Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.

Simplified group membership lookup significantly to support multiple use-cases:
  * Enumerating groups via memberOf attribute on user object
  * Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
  * Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule

There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.

Additional changes:
  * Clarify documentation for LDAP auth backend.
  * Reworked how default values are set, added tests
  * Removed Dial from LDAP config read. Network should not affect configuration.
 2016-07-22 21:20:05 -04:00
vishalnayak
6977bdd490 Handled upgrade path for TLSMinVersion 2016-07-13 12:42:51 -04:00
vishalnayak
98d5684699 Address review feedback 2016-07-13 11:52:26 -04:00
vishalnayak
150cba24a7 Added tls_min_version to consul storage backend 2016-07-12 20:10:54 -04:00
vishalnayak
ee6ba1e85e Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak
f200a8568b Set minimum TLS version in all tls.Config objects 2016-07-12 17:06:28 -04:00
vishalnayak
cfe0aa860e Backend() functions should return 'backend' objects. 
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
 2016-06-10 15:53:02 -04:00
Jeff Mitchell
74a1e3bd61 Remove most Root paths 2016-05-31 23:42:54 +00:00
vishalnayak
80faa2f4ed s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends 2016-05-26 10:21:03 -04:00
Jeff Mitchell
0b7e8cf1c8 Merge pull request #1245 from LeonDaniel/master 
Improved groups search for LDAP login
 2016-05-19 12:13:29 -04:00
Oren Shomron
24ae32f10d Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 20:00:40 -04:00
leon
7caa667fef - updated refactored functions in ldap backend to return error instead of ldap response and fixed interrupted search in ldap groups search func 2016-04-27 18:17:54 +03:00
leon
df7723bb38 - refactored functionality in separate functions in ldap backend and used a separate ldap query to get ldap groups from userDN 2016-04-27 15:00:26 +03:00
leon
2d31a064f3 - fixed merge with upstream master 2016-04-26 13:23:43 +03:00
leon
ea2efb6531 Merge remote-tracking branch 'upstream/master' 
Conflicts:
	builtin/credential/ldap/backend.go
 2016-04-26 13:16:42 +03:00
vishalnayak
5f1829af67 Utility Enhancements 2016-04-05 20:32:59 -04:00
vishalnayak
ac5ceae0bd Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell
f5f9c098b7 Some fixups around error/warning in LDAP 2016-04-02 13:33:00 -04:00
Jeff Mitchell
aca4e79ac6 If no group DN is configured, still look for policies on local users and 
return a warning, rather than just trying to do an LDAP search on an
empty string.
 2016-04-02 13:11:36 -04:00
Jeff Mitchell
aa6a5fa25b Fix potential error scoping issue. 
Ping #1262
 2016-03-30 19:48:23 -04:00
Jeff Mitchell
8926a7c7c7 Check for nil connection back from go-ldap, which apparently can happen even with no error 
Ping #1262
 2016-03-29 10:00:04 -04:00
Jeff Mitchell
7ce9701800 Properly check for policy equivalency during renewal. 
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.

Fixes #1256
 2016-03-24 09:41:51 -04:00
leon
8ebacbc563 - updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 19:44:08 +02:00
leon
df96234ac9 - added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 16:55:38 +02:00
Jeff Mitchell
7ef904b930 Use better error message on LDAP renew failure 2016-03-07 09:34:16 -05:00
Jeff Mitchell
65494f8268 Merge pull request #1100 from hashicorp/issue-1030 
Properly escape filter values in LDAP filters
 2016-02-19 14:56:40 -05:00
Jeff Mitchell
73e84b8c38 Address some feedback on ldap escaping help text 2016-02-19 13:47:26 -05:00