1. Using vault auth-policies with ldap

    TypeScript

    Working with HashiCorp Vault's authentication policies in conjunction with LDAP (Lightweight Directory Access Protocol) allows you to manage access control based on your existing LDAP directory. Vault's LDAP authentication method can be used to import users and their group memberships from an LDAP server, translating those into Vault identity groups and policies that grant or restrict access to secrets.

    Let's go through an example of setting up LDAP authentication with Vault using Pulumi. We'll define two main components:

    1. LDAP Authentication Backend: This configures Vault to authenticate against an LDAP server.
    2. LDAP Groups: These map LDAP groups to a set of Vault policies, which define the level of access.

    To manage these components with Pulumi, you can use the vault provider. Before you run the following Pulumi program, you need to set up Vault and have its address and token available in your environment, as well as your LDAP server details.

    Here's a TypeScript program that defines an LDAP auth backend and associates an LDAP group with a set of policies:

    import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Create an LDAP authentication backend. const ldapAuth = new vault.ldap.AuthBackend("ldapAuth", { // URL of the LDAP server. This should be in the form of "ldap://<hostname>:<port>". url: "ldap://ldap.example.com:389", // Distinguished name (DN) of the user to bind with the LDAP server. // This user should have permission to perform user/group lookups. binddn: "cn=read-only-admin,dc=example,dc=com", // The user's password to bind with the LDAP server. bindpass: { value: "READ_ONLY_ADMIN_PASSWORD", // Replace with actual password or use secret management. }, // Base DN under which to perform user search. userdn: "ou=Users,dc=example,dc=com", // Base DN under which to perform group search. groupdn: "ou=Groups,dc=example,dc=com", // Specifies if Vault should use StartTLS. starttls: false, // Username attribute used in queries against the LDAP server. userattr: "uid", // Group attribute used in queries against the LDAP server. groupattr: "cn", // The domain to be used for UPN (User Principal Name) logins. upndomain: "example.com", }); // Create an LDAP group. Users belonging to this group in LDAP will be // associated with the policies defined here in Vault. const ldapAdminGroup = new vault.ldap.AuthBackendGroup("ldapAdminGroup", { backend: ldapAuth.path, // The mount path of the LDAP auth backend. groupname: "VaultAdmins", // The name of the LDAP group. policies: ["admin-policy"], // The list of policies to associate with this group. }); // This Pulumi program assumes that the "admin-policy" is already defined in Vault. // If not, replace "admin-policy" with an actual policy name that exists in your Vault setup. // Export the mount path of the LDAP auth backend. export const ldapAuthPath = ldapAuth.path;

    In this example, you would need to replace the placeholders such as ldap://ldap.example.com:389, cn=read-only-admin,dc=example,dc=com, and "READ_ONLY_ADMIN_PASSWORD" with your actual LDAP server details and credentials.

    Explanation:

    • LDAP Authentication Backend: This is created with the vault.ldap.AuthBackend resource. It defines how Vault connects to your LDAP server, including the URL of the server, the bind DN and password, and the user and group base DNs for searching users and groups within LDAP.

    • LDAP Group: We use the vault.ldap.AuthBackendGroup to map an LDAP group to Vault policies. In this example, any user who is part of the VaultAdmins group in LDAP will be assigned the admin-policy in Vault, giving them admin-level access within Vault.

    To apply these settings, simply run pulumi up after creating a new Pulumi project and pasting the above code into your index.ts file. Ensure that your Pulumi.yaml includes vault as a dependency:

    name: ldap-vault runtime: nodejs description: A Pulumi program to configure Vault with LDAP authentication. dependencies: - name: "@pulumi/vault" version: "^5.16.0"

    Remember to replace ^5.16.0 with the appropriate version of the Pulumi Vault package.

    This is a basic example to get started. For production use, you need to consider secure ways to handle secrets (bindpass), additional configuration parameters for the LDAP server, and the complete setup of necessary Vault policies.