» vault_ldap_auth_backend

Provides a resource for managing an LDAP auth backend within Vault.

» Example Usage

resource "vault_ldap_auth_backend" "ldap" {
    path        = "ldap"
    url         = "ldaps://dc-01.example.org"
    userdn      = "OU=Users,OU=Accounts,DC=example,DC=org"
    userattr    = "sAMAccountName"
    upndomain   = "EXAMPLE.ORG"
    discoverdn  = false
    groupdn     = "OU=Groups,DC=example,DC=org"
    groupfilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"

» Argument Reference

The following arguments are supported:

  • url - (Required) The URL of the LDAP server

  • starttls - (Optional) Control use of TLS when conecting to LDAP

  • tls_min_version - (Optional) Minimum acceptable version of TLS

  • tls_max_version - (Optional) Maximum acceptable version of TLS

  • insecure_tls - (Optional) Control whether or TLS certificates must be validated

  • certificate - (Optional) Trusted CA to validate TLS certificate

  • binddn - (Optional) DN of object to bind when performing user search

  • bindpass - (Optional) Password to use with binddn when performing user search

  • userdn - (Optional) Base DN under which to perform user search

  • userattr - (Optional) Attribute on user object matching username passed in

  • upndomain - (Optional) The userPrincipalDomain used to construct UPN string

  • discoverdn: (Optional) Use anonymous bind to discover the bind DN of a user.

  • deny_null_bind: (Optional) Prevents users from bypassing authentication when providing an empty password.

  • upndomain: (Optional) The userPrincipalDomain used to construct the UPN string for the authenticating user.

  • groupfilter - (Optional) Go template used to construct group membership query

  • groupdn - (Optional) Base DN under which to perform group search

  • groupattr - (Optional) LDAP attribute to follow on objects returned by groupfilter

  • use_token_groups - (Optional) Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships

  • path - (Optional) Path to mount the LDAP auth backend under

  • description - (Optional) Description for the LDAP auth backend mount

For more details on the usage of each argument consult the Vault LDAP API documentation.

» Attributes Reference

In addition to the fields above, the following attributes are exported:

  • accessor - The accessor for this auth mount.

» Import

LDAP authentication backends can be imported using the path, e.g.

$ terraform import vault_ldap_auth_backend.ldap ldap