Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds an option to enable sAMAccountname logins when upndomain is set #29118

Open
wants to merge 30 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
e55636c
Adds an option to enable sAMAccountname logins when upndomain is set
kwagga Dec 6, 2024
61a0b90
Adds an option to enable sAMAccountname logins when upndomain is set
kwagga Dec 6, 2024
b244d2e
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Dec 6, 2024
8a31983
Updated changelog entry
kwagga Dec 6, 2024
62aa988
Update 29118.txt
kwagga Dec 6, 2024
1b28014
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Dec 18, 2024
75ed70c
Merge branch 'ldap-add-samaccountname-login-option' of https://github…
kwagga Dec 18, 2024
348dc86
Updated cap/ldap version due to needed dependency
kwagga Dec 18, 2024
f7737fb
Updated cap/ldap version due to needed dependency
kwagga Dec 18, 2024
8e66eaa
Restart CI
kwagga Dec 18, 2024
34f77c5
Updated LDAP api-docs and docs describing the enable_samaccountname_l…
kwagga Dec 18, 2024
f12b3c0
Merge branch 'hashicorp:main' into ldap-add-samaccountname-login-option
kwagga Dec 20, 2024
c2b3aaf
Added missing comma in config_test.go
kwagga Dec 20, 2024
db0efdb
Merge branch 'ldap-add-samaccountname-login-option' of https://github…
kwagga Dec 20, 2024
4f3f8da
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Dec 21, 2024
497dc65
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Dec 27, 2024
7dd7f72
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Dec 30, 2024
b798af3
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 2, 2025
a4c7cdd
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 2, 2025
2176326
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 3, 2025
dbc3282
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 3, 2025
8f8e208
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 3, 2025
7cdb1f4
Merge branch 'hashicorp:main' into ldap-add-samaccountname-login-option
kwagga Jan 6, 2025
e0ca408
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 7, 2025
f745ab8
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 7, 2025
21a7ad6
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 8, 2025
c707335
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 9, 2025
c0a8d91
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 10, 2025
46c334a
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 10, 2025
e13762a
Merge branch 'main' into ldap-add-samaccountname-login-option
kwagga Jan 13, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/29118.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
auth/ldap: Adds an option to enable sAMAccountname logins when upndomain is set.
```
64 changes: 38 additions & 26 deletions sdk/helper/ldaputil/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,11 @@ Default: ({{.UserAttr}}={{.Username}})`,
Description: "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.",
Default: 0,
},
"enable_samaccountname_login": {
Type: framework.TypeBool,
Description: "If true, matching sAMAccountName attribute values will be allowed to login when upndomain is defined.",
Default: false,
},
}
}

Expand Down Expand Up @@ -434,6 +439,10 @@ func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry
cfg.MaximumPageSize = d.Get("max_page_size").(int)
}

if _, ok := d.Raw["enable_samaccountname_login"]; ok || !hadExisting {
cfg.EnableSamaccountnameLogin = d.Get("enable_samaccountname_login").(bool)
}

return cfg, nil
}

Expand Down Expand Up @@ -468,9 +477,10 @@ type ConfigEntry struct {
// where the tag was being ignored, causing it to be jsonified as "CaseSensitiveNames", etc.
// To continue reading in users' previously stored values,
// we chose to carry that forward.
CaseSensitiveNames *bool `json:"CaseSensitiveNames,omitempty"`
ClientTLSCert string `json:"ClientTLSCert"`
ClientTLSKey string `json:"ClientTLSKey"`
CaseSensitiveNames *bool `json:"CaseSensitiveNames,omitempty"`
ClientTLSCert string `json:"ClientTLSCert"`
ClientTLSKey string `json:"ClientTLSKey"`
EnableSamaccountnameLogin bool `json:"EnableSamaccountnameLogin"`
}

func (c *ConfigEntry) Map() map[string]interface{} {
Expand All @@ -481,29 +491,30 @@ func (c *ConfigEntry) Map() map[string]interface{} {

func (c *ConfigEntry) PasswordlessMap() map[string]interface{} {
m := map[string]interface{}{
"url": c.Url,
"userdn": c.UserDN,
"groupdn": c.GroupDN,
"groupfilter": c.GroupFilter,
"groupattr": c.GroupAttr,
"userfilter": c.UserFilter,
"upndomain": c.UPNDomain,
"userattr": c.UserAttr,
"certificate": c.Certificate,
"insecure_tls": c.InsecureTLS,
"starttls": c.StartTLS,
"binddn": c.BindDN,
"deny_null_bind": c.DenyNullBind,
"discoverdn": c.DiscoverDN,
"tls_min_version": c.TLSMinVersion,
"tls_max_version": c.TLSMaxVersion,
"use_token_groups": c.UseTokenGroups,
"anonymous_group_search": c.AnonymousGroupSearch,
"request_timeout": c.RequestTimeout,
"connection_timeout": c.ConnectionTimeout,
"username_as_alias": c.UsernameAsAlias,
"dereference_aliases": c.DerefAliases,
"max_page_size": c.MaximumPageSize,
"url": c.Url,
"userdn": c.UserDN,
"groupdn": c.GroupDN,
"groupfilter": c.GroupFilter,
"groupattr": c.GroupAttr,
"userfilter": c.UserFilter,
"upndomain": c.UPNDomain,
"userattr": c.UserAttr,
"certificate": c.Certificate,
"insecure_tls": c.InsecureTLS,
"starttls": c.StartTLS,
"binddn": c.BindDN,
"deny_null_bind": c.DenyNullBind,
"discoverdn": c.DiscoverDN,
"tls_min_version": c.TLSMinVersion,
"tls_max_version": c.TLSMaxVersion,
"use_token_groups": c.UseTokenGroups,
"anonymous_group_search": c.AnonymousGroupSearch,
"request_timeout": c.RequestTimeout,
"connection_timeout": c.ConnectionTimeout,
"username_as_alias": c.UsernameAsAlias,
"dereference_aliases": c.DerefAliases,
"max_page_size": c.MaximumPageSize,
"enable_samaccountname_login": c.EnableSamaccountnameLogin,
}
if c.CaseSensitiveNames != nil {
m["case_sensitive_names"] = *c.CaseSensitiveNames
Expand Down Expand Up @@ -595,6 +606,7 @@ func ConvertConfig(cfg *ConfigEntry) *capldap.ClientConfig {
MaximumPageSize: cfg.MaximumPageSize,
DerefAliases: cfg.DerefAliases,
DeprecatedVaultPre111GroupCNBehavior: cfg.UsePre111GroupCNBehavior,
EnableSamaccountnameLogin: cfg.EnableSamaccountnameLogin,
}

if cfg.Certificate != "" {
Expand Down
3 changes: 2 additions & 1 deletion sdk/helper/ldaputil/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,7 @@ var jsonConfigDefault = []byte(`
"max_page_size": 0,
"CaseSensitiveNames": false,
"ClientTLSCert": "",
"ClientTLSKey": ""
"ClientTLSKey": "",
"enable_samaccountname_login": false
}
`)
3 changes: 3 additions & 0 deletions website/content/api-docs/auth/ldap.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ This endpoint configures the LDAP auth method.
paged search control.
- `use_token_groups` `(bool: true)` - (Optional) Use the Active Directory tokenGroups
constructed attribute of the user to find the group memberships.
- `enable_samaccountname_login` `(bool: false)` - (Optional) If true, Active Directory
LDAP users can login using `sAMAccountName` in addition to the `userPrincipalName`
attribute value when `upndomain` is defined.

@include 'tokenfields.mdx'

Expand Down
1 change: 1 addition & 0 deletions website/content/docs/auth/ldap.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m
#### Binding - user principal name (AD)

- `upndomain` (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind as `username@example.com`.
- `enable_samaccountname_login` (bool, optional) - If true, Active Directory LDAP users can login using `sAMAccountName` in addition to the `userPrincipalName` attribute value when `upndomain` is defined.

### Group membership resolution

Expand Down
Loading