auth/ldap: add username_as_alias config flag (#14324)

builtin/credential/ldap/backend_test.go

@@ -1205,6 +1205,7 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
 			CaseSensitiveNames:       falseBool,
 			UsePre111GroupCNBehavior: new(bool),
 			RequestTimeout:           cfg.RequestTimeout,
+			UsernameAsAlias:          false,
 		},
 	}
 

builtin/credential/ldap/path_login.go

@@ -103,6 +103,10 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		},
 	}
 
+	if cfg.UsernameAsAlias {
+		auth.Alias.Name = username
+	}
+
 	cfg.PopulateTokenAuth(auth)
 
 	// Add in configured policies from mappings

changelog/14324.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: Add username_as_alias configurable to change how aliases are named
+```

sdk/helper/ldaputil/config.go

@@ -112,6 +112,12 @@ Default: ({{.UserAttr}}={{.Username}})`,
 			},
 		},
 
+		"username_as_alias": {
+			Type:        framework.TypeBool,
+			Default:     false,
+			Description: "If true, sets the alias name to the username",
+		},
+
 		"userattr": {
 			Type:        framework.TypeString,
 			Default:     "cn",
@@ -242,6 +248,10 @@ func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry
 		cfg.AnonymousGroupSearch = d.Get("anonymous_group_search").(bool)
 	}
 
+	if _, ok := d.Raw["username_as_alias"]; ok || !hadExisting {
+		cfg.UsernameAsAlias = d.Get("username_as_alias").(bool)
+	}
+
 	if _, ok := d.Raw["url"]; ok || !hadExisting {
 		cfg.Url = strings.ToLower(d.Get("url").(string))
 	}
@@ -393,6 +403,7 @@ type ConfigEntry struct {
 	GroupFilter              string `json:"groupfilter"`
 	GroupAttr                string `json:"groupattr"`
 	UPNDomain                string `json:"upndomain"`
+	UsernameAsAlias          bool   `json:"username_as_alias"`
 	UserFilter               string `json:"userfilter"`
 	UserAttr                 string `json:"userattr"`
 	Certificate              string `json:"certificate"`
@@ -444,6 +455,7 @@ func (c *ConfigEntry) PasswordlessMap() map[string]interface{} {
 		"use_token_groups":       c.UseTokenGroups,
 		"anonymous_group_search": c.AnonymousGroupSearch,
 		"request_timeout":        c.RequestTimeout,
+		"username_as_alias":      c.UsernameAsAlias,
 	}
 	if c.CaseSensitiveNames != nil {
 		m["case_sensitive_names"] = *c.CaseSensitiveNames

sdk/helper/ldaputil/config_test.go

@@ -166,6 +166,7 @@ var jsonConfigDefault = []byte(`
   "tls_max_version": "tls12",
   "use_token_groups": false,
   "use_pre111_group_cn_behavior": null,
+  "username_as_alias": false,
   "request_timeout": 90,
   "CaseSensitiveNames": false,
   "ClientTLSCert": "",

website/content/api-docs/auth/ldap.mdx

@@ -87,6 +87,8 @@ This endpoint configures the LDAP auth method.
   `groupfilter` in order to enumerate user group membership. Examples: for
   groupfilter queries returning _group_ objects, use: `cn`. For queries
   returning _user_ objects, use: `memberOf`. The default is `cn`.
+- `username_as_alias` `(bool: false)` - If set to true, forces the auth method
+  to use the username passed by the user as the alias name.
 
 @include 'tokenfields.mdx'
 
@@ -117,6 +119,7 @@ $ curl \
   "tls_max_version": "tls12",
   "tls_min_version": "tls12",
   "url": "ldaps://ldap.myorg.com:636",
+  "username_as_alias": false,
   "userattr": "samaccountname",
   "userdn": "ou=Users,dc=example,dc=com"
 }
@@ -160,6 +163,7 @@ $ curl \
     "tls_min_version": "tls12",
     "upndomain": "",
     "url": "ldaps://ldap.myorg.com:636",
+    "username_as_alias": false,
     "userattr": "samaccountname",
     "userdn": "ou=Users,dc=example,dc=com"
   },

website/content/docs/auth/ldap.mdx

@@ -147,6 +147,11 @@ _Note_: When using _Authenticated Search_ for binding parameters (see above) the
 
 Use `vault path-help` for more details.
 
+### Other
+
+- `username_as_alias` (bool, optional) - If set to true, forces the auth method to use the username passed by the user as the alias name.
+
+
 ## Examples:
 
 ### Scenario 1