Created
September 14, 2020 17:47
-
-
Save rogmanster/61dc78cd8741ed308be5f440f81d0e66 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# LDAP Auth | |
## PERSONA - ADMIN | |
# Set Vault Premium License | |
clear | |
vault login root | |
vault write sys/license text=$VAULT_PREMIUM_LICENSE | |
#Enable KV store | |
vault secrets enable -path=secret kv-v2 | |
#Write arbitrary secret to KV | |
vault kv put secret/mycred username=milli password=vanilli | |
## Write Vault policy | |
#capabilities = ["create", "read", "update", "delete", "list"] | |
echo 'path "secret/metadata/" { | |
capabilities = ["list"] | |
} | |
path "secret/data/mycred" { | |
capabilities = ["read"] | |
}' | vault policy write my-policy - | |
echo | |
read -p "press enter to continue..." | |
clear | |
# Enable and configure LDAP Auth plugin | |
vault auth enable ldap | |
vault write auth/ldap/config \ | |
url="ldap://ldap.forumsys.com" \ | |
binddn="cn=read-only-admin,dc=example,dc=com" \ | |
bindpass="password" \ | |
userdn="dc=example,dc=com" \ | |
userattr="uid" \ | |
groupfilter='(uniqueMember={{.UserDN}})' \ | |
groupdn="dc=example,dc=com" \ | |
insecure_tls=true | |
echo | |
read -p "press enter to continue..." | |
clear | |
# Tie LDAP group to Vault policy | |
vault write auth/ldap/groups/Scientists policies=my-policy | |
echo | |
read -p "press enter to continue..." | |
clear | |
## PERSONA - Human User | |
# Output of Vault Token using LDAP Auth..." | |
curl \ | |
--silent \ | |
--request POST \ | |
--data '{"password": "password"}' \ | |
$VAULT_ADDR/v1/auth/ldap/login/einstein | jq | |
echo | |
read -p "press enter to continue..." | |
clear | |
# Set Vault Token to Variable | |
TOKEN=$(curl \ | |
--silent \ | |
--request POST \ | |
--data '{"password": "password"}' \ | |
$VAULT_ADDR/v1/auth/ldap/login/einstein | jq -r '.auth.client_token') | |
echo | |
read -p "press enter to continue..." | |
clear | |
# Fetch AD Dynamic Secret | |
curl \ | |
--silent \ | |
--header "X-Vault-Token: $TOKEN" \ | |
$VAULT_ADDR/v1/secret/data/mycred | jq | |
# vault login -method=ldap username=einstein | |
# vault read secret/data/mycred |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment