lauradiane/ns-ldap.sh

## ns-ldap.sh
#!/bin/bash

set -aex

# Create namespace foo
vault namespace create foo

# Create policy in root namespace for foo's admin
vault policy write foo-ns-admin - <<EOF
path "foo/auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "foo/sys/auth"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "foo/sys/auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/*"
{
capabilities = ["read", "list"]
}

path "foo/identity/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "foo/sys/policies"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "foo/sys/policies/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "foo/sys/policy"
{
capabilities = ["read", "update", "list"]
}

path "foo/sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "foo/sys/capabilities-self"
{
capabilities = ["read", "update", "list"]
}

path "foo/sys/mounts"
{
capabilities = ["read", "list"]
}
path "foo/sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "foo/sys/namespaces"
{
capabilities = ["read", "list"]
}

path "foo/sys/namespaces/*"
{
capabilities = ["create", "update", "delete", "list"]
}
EOF

# Mount and configure LDAP Auth
cat > ldapConfig -<<EOF
{
			"url":      "ldap://ldap.forumsys.com",
			"userattr": "uid",
			"userdn":   "dc=example,dc=com",
			"groupdn":  "dc=example,dc=com",
			"binddn":   "cn=read-only-admin,dc=example,dc=com"
}
EOF
vault auth enable ldap
vault write auth/ldap/config @ldapConfig
vault write auth/ldap/groups/dev policies=foo-ns-admin
vault write auth/ldap/users/tesla groups=dev

# Create an external group and a respective group alias
devGroupID=$(vault write -format json identity/group name=dev type=external | jq -r '.data.id')
ldapMountAccessor=$(vault auth list -format json | jq -r '.["ldap/"].accessor')
vault write identity/group-alias name=dev mount_accessor=$ldapMountAccessor canonical_id=$devGroupID

# Create an internal group within the namespace with the external group as a member
vault write -ns=foo identity/group name=dev type=internal member_group_ids=$devGroupID

# Login using LDAP to get a client token
clientToken=$(vault write -format json auth/ldap/login/tesla password=password | jq -r '.auth.client_token')
vault token lookup $clientToken

# Delete namespace foo and see if the login still works
vault namespace delete foo
vault write auth/ldap/login/tesla password=password
	#!/bin/bash

	set -aex

	# Create namespace foo
	vault namespace create foo

	# Create policy in root namespace for foo's admin
	vault policy write foo-ns-admin - <<EOF
	path "foo/auth/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	path "foo/sys/auth"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	path "foo/sys/auth/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	path "identity/*"
	{
	capabilities = ["read", "list"]
	}

	path "foo/identity/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	path "foo/sys/policies"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	path "foo/sys/policies/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	path "foo/sys/policy"
	{
	capabilities = ["read", "update", "list"]
	}

	path "foo/sys/policy/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	path "foo/sys/capabilities-self"
	{
	capabilities = ["read", "update", "list"]
	}

	path "foo/sys/mounts"
	{
	capabilities = ["read", "list"]
	}
	path "foo/sys/mounts/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	path "foo/sys/namespaces"
	{
	capabilities = ["read", "list"]
	}

	path "foo/sys/namespaces/*"
	{
	capabilities = ["create", "update", "delete", "list"]
	}
	EOF

	# Mount and configure LDAP Auth
	cat > ldapConfig -<<EOF
	{
	"url": "ldap://ldap.forumsys.com",
	"userattr": "uid",
	"userdn": "dc=example,dc=com",
	"groupdn": "dc=example,dc=com",
	"binddn": "cn=read-only-admin,dc=example,dc=com"
	}
	EOF
	vault auth enable ldap
	vault write auth/ldap/config @ldapConfig
	vault write auth/ldap/groups/dev policies=foo-ns-admin
	vault write auth/ldap/users/tesla groups=dev

	# Create an external group and a respective group alias
	devGroupID=$(vault write -format json identity/group name=dev type=external \| jq -r '.data.id')
	ldapMountAccessor=$(vault auth list -format json \| jq -r '.["ldap/"].accessor')
	vault write identity/group-alias name=dev mount_accessor=$ldapMountAccessor canonical_id=$devGroupID

	# Create an internal group within the namespace with the external group as a member
	vault write -ns=foo identity/group name=dev type=internal member_group_ids=$devGroupID

	# Login using LDAP to get a client token
	clientToken=$(vault write -format json auth/ldap/login/tesla password=password \| jq -r '.auth.client_token')
	vault token lookup $clientToken

	# Delete namespace foo and see if the login still works
	vault namespace delete foo
	vault write auth/ldap/login/tesla password=password
No results found