scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-12-20 20:37:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Mention delegating change password privs in ad docs

Browse Source
This commit is contained in:
Jeff Mitchell
2018-06-15 17:01:47 -04:00
parent 9bed291ce7
commit 73e8031d35
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
website/source/docs/secrets/ad/index.html.md
View File

@@ -88,8 +88,10 @@ to generate passwords:
userdn='dc=example,dc=com' userdn='dc=example,dc=com'
``` ```
The `$USERNAME` and `$PASSWORD` given must be of a high enough access level that The `$USERNAME` and `$PASSWORD` given must have access to modify passwords
they can be used for modifying passwords. Typically, this will be a domain admin. for the given account. It is possible to delegate access to change
passwords for these accounts to the one Vault is in control of, and this is
usually the highest-security solution.
If you'd like to do a quick, insecure evaluation, also set `insecure_tls` to true. However, this is NOT RECOMMENDED If you'd like to do a quick, insecure evaluation, also set `insecure_tls` to true. However, this is NOT RECOMMENDED
in a production environment. In production, we recommend `insecure_tls` is false (its default) and is used with a valid in a production environment. In production, we recommend `insecure_tls` is false (its default) and is used with a valid
@@ -103,7 +105,7 @@ this role.
$ vault write ad/roles/my-application \ $ vault write ad/roles/my-application \
service_account_name="my-application@example.com" service_account_name="my-application@example.com"
``` ```
4. Grant "my-application" access to its creds at `ad/creds/my-application` using an 4. Grant "my-application" access to its creds at `ad/creds/my-application` using an
auth method like [AppRole](https://www.vaultproject.io/api/auth/approle/index.html). auth method like [AppRole](https://www.vaultproject.io/api/auth/approle/index.html).