rogmanster/vault_ldap.sh

## vault_ldap.sh
# LDAP Auth
## PERSONA - ADMIN
# Set Vault Premium License
clear
vault login root
vault write sys/license text=$VAULT_PREMIUM_LICENSE

#Enable KV store
vault secrets enable -path=secret kv-v2

#Write arbitrary secret to KV
vault kv put secret/mycred username=milli password=vanilli

## Write Vault policy
#capabilities = ["create", "read", "update", "delete", "list"]
echo 'path "secret/metadata/" {
    capabilities = ["list"]
}

path "secret/data/mycred" {
    capabilities = ["read"]
}' | vault policy write my-policy -

echo
read -p "press enter to continue..."
clear

# Enable and configure LDAP Auth plugin
vault auth enable ldap

vault write auth/ldap/config \
    url="ldap://ldap.forumsys.com" \
    binddn="cn=read-only-admin,dc=example,dc=com" \
    bindpass="password" \
    userdn="dc=example,dc=com" \
    userattr="uid" \
    groupfilter='(uniqueMember={{.UserDN}})' \
    groupdn="dc=example,dc=com" \
    insecure_tls=true

echo
read -p "press enter to continue..."
clear


# Tie LDAP group to Vault policy
vault write auth/ldap/groups/Scientists policies=my-policy
echo
read -p "press enter to continue..."
clear

## PERSONA - Human User
# Output of Vault Token using LDAP Auth..."

curl \
    --silent \
    --request POST \
    --data '{"password": "password"}' \
    $VAULT_ADDR/v1/auth/ldap/login/einstein | jq

echo
read -p "press enter to continue..."
clear

# Set Vault Token to Variable

TOKEN=$(curl \
    --silent \
    --request POST \
    --data '{"password": "password"}' \
    $VAULT_ADDR/v1/auth/ldap/login/einstein | jq -r '.auth.client_token')

echo
read -p "press enter to continue..."
clear

# Fetch AD Dynamic Secret

curl \
    --silent \
    --header "X-Vault-Token: $TOKEN" \
    $VAULT_ADDR/v1/secret/data/mycred | jq

# vault login -method=ldap username=einstein
# vault read secret/data/mycred
	# LDAP Auth
	## PERSONA - ADMIN
	# Set Vault Premium License
	clear
	vault login root
	vault write sys/license text=$VAULT_PREMIUM_LICENSE

	#Enable KV store
	vault secrets enable -path=secret kv-v2

	#Write arbitrary secret to KV
	vault kv put secret/mycred username=milli password=vanilli

	## Write Vault policy
	#capabilities = ["create", "read", "update", "delete", "list"]
	echo 'path "secret/metadata/" {
	capabilities = ["list"]
	}

	path "secret/data/mycred" {
	capabilities = ["read"]
	}' \| vault policy write my-policy -

	echo
	read -p "press enter to continue..."
	clear

	# Enable and configure LDAP Auth plugin
	vault auth enable ldap

	vault write auth/ldap/config \
	url="ldap://ldap.forumsys.com" \
	binddn="cn=read-only-admin,dc=example,dc=com" \
	bindpass="password" \
	userdn="dc=example,dc=com" \
	userattr="uid" \
	groupfilter='(uniqueMember={{.UserDN}})' \
	groupdn="dc=example,dc=com" \
	insecure_tls=true

	echo
	read -p "press enter to continue..."
	clear


	# Tie LDAP group to Vault policy
	vault write auth/ldap/groups/Scientists policies=my-policy
	echo
	read -p "press enter to continue..."
	clear

	## PERSONA - Human User
	# Output of Vault Token using LDAP Auth..."

	curl \
	--silent \
	--request POST \
	--data '{"password": "password"}' \
	$VAULT_ADDR/v1/auth/ldap/login/einstein \| jq

	echo
	read -p "press enter to continue..."
	clear

	# Set Vault Token to Variable

	TOKEN=$(curl \
	--silent \
	--request POST \
	--data '{"password": "password"}' \
	$VAULT_ADDR/v1/auth/ldap/login/einstein \| jq -r '.auth.client_token')

	echo
	read -p "press enter to continue..."
	clear

	# Fetch AD Dynamic Secret

	curl \
	--silent \
	--header "X-Vault-Token: $TOKEN" \
	$VAULT_ADDR/v1/secret/data/mycred \| jq

	# vault login -method=ldap username=einstein
	# vault read secret/data/mycred