ldap: Minor enhancements, tests and doc update (#2272)

2025-11-02 11:38:02 +00:00 · 2017-01-23 10:56:43 -05:00
parent 235f9458d3
commit b706ec9506
3 changed files with 105 additions and 15 deletions
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -12,6 +12,94 @@ import (
 	"github.com/mitchellh/mapstructure"
 )

+func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) {
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend()
+	if b == nil {
+		t.Fatalf("failed to create backend")
+	}
+
+	_, err := b.Backend.Setup(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return b, config.StorageView
+}
+
+func TestLdapAuthBackend_UserPolicies(t *testing.T) {
+	var resp *logical.Response
+	var err error
+	b, storage := createBackendWithStorage(t)
+
+	configReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config",
+		Data: map[string]interface{}{
+			// Online LDAP test server
+			// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
+			"url":      "ldap://ldap.forumsys.com",
+			"userattr": "uid",
+			"userdn":   "dc=example,dc=com",
+			"groupdn":  "dc=example,dc=com",
+			"binddn":   "cn=read-only-admin,dc=example,dc=com",
+		},
+		Storage: storage,
+	}
+	resp, err = b.HandleRequest(configReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+
+	groupReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"policies": "grouppolicy",
+		},
+		Path:    "groups/engineers",
+		Storage: storage,
+	}
+	resp, err = b.HandleRequest(groupReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+
+	userReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"groups":   "engineers",
+			"policies": "userpolicy",
+		},
+		Path:    "users/tesla",
+		Storage: storage,
+	}
+
+	resp, err = b.HandleRequest(userReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+
+	loginReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "login/tesla",
+		Data: map[string]interface{}{
+			"password": "password",
+		},
+		Storage: storage,
+	}
+
+	resp, err = b.HandleRequest(loginReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+	expected := []string{"default", "grouppolicy", "userpolicy"}
+	if !reflect.DeepEqual(expected, resp.Auth.Policies) {
+		t.Fatalf("bad: policies: expected: %q, actual: %q", expected, resp.Auth.Policies)
+	}
+}
+
 /*
 * Acceptance test for LDAP Auth Backend
 *
@@ -370,7 +458,6 @@ func testAccStepLogin(t *testing.T, user string, pass string) logicaltest.TestSt
 	}
 }

-
 func testAccStepLoginNoGroupDN(t *testing.T, user string, pass string) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
--- a/builtin/credential/ldap/path_users.go
+++ b/builtin/credential/ldap/path_users.go
@@ -3,6 +3,8 @@ package ldap
 import (
 	"strings"

+	"github.com/hashicorp/vault/helper/policyutil"
+	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -36,7 +38,7 @@ func pathUsers(b *backend) *framework.Path {

 			"policies": &framework.FieldSchema{
 				Type:        framework.TypeString,
-				Description: "Comma-separated list of policies associated to the group.",
+				Description: "Comma-separated list of policies associated with the user.",
 			},
 		},

@@ -90,7 +92,7 @@ func (b *backend) pathUserRead(

 	return &logical.Response{
 		Data: map[string]interface{}{
-			"groups": strings.Join(user.Groups, ","),
+			"groups":   strings.Join(user.Groups, ","),
 			"policies": strings.Join(user.Policies, ","),
 		},
 	}, nil
@@ -99,15 +101,15 @@ func (b *backend) pathUserRead(
 func (b *backend) pathUserWrite(
 	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	name := d.Get("name").(string)
-	groups := strings.Split(d.Get("groups").(string), ",")
-	policies := strings.Split(d.Get("policies").(string), ",")
+	groups := strutil.ParseDedupAndSortStrings(d.Get("groups").(string), ",")
+	policies := policyutil.ParsePolicies(d.Get("policies").(string))
 	for i, g := range groups {
 		groups[i] = strings.TrimSpace(g)
 	}

 	// Store it
 	entry, err := logical.StorageEntryJSON("user/"+name, &UserEntry{
-		Groups: groups,
+		Groups:   groups,
 		Policies: policies,
 	})
 	if err != nil {
@@ -130,7 +132,7 @@ func (b *backend) pathUserList(
 }

 type UserEntry struct {
-	Groups []string
+	Groups   []string
 	Policies []string
 }

--- a/website/source/docs/auth/ldap.html.md
+++ b/website/source/docs/auth/ldap.html.md
@@ -15,8 +15,8 @@ server and user/password credentials. This allows Vault to be integrated
 into environments using LDAP without duplicating the user/pass configuration
 in multiple places.

-The mapping of groups in LDAP to Vault policies is managed by using the
-`users/` and `groups/` paths.
+The mapping of groups and users in LDAP to Vault policies is managed by using
+the `users/` and `groups/` paths.

 ## A Note on Escaping

@@ -231,16 +231,17 @@ $ vault write auth/ldap/groups/scientists policies=foo,bar
 ```

 This maps the LDAP group "scientists" to the "foo" and "bar" Vault policies.
-
-We can also add specific LDAP users to additional (potentially non-LDAP) groups:
+We can also add specific LDAP users to additional (potentially non-LDAP)
+groups. Note that policies can also be specified on LDAP users as well.

 ```
 $ vault write auth/ldap/groups/engineers policies=foobar
-$ vault write auth/ldap/users/tesla groups=engineers
+$ vault write auth/ldap/users/tesla groups=engineers policies=zoobar
 ```

 This adds the LDAP user "tesla" to the "engineers" group, which maps to
-the "foobar" Vault policy.
+the "foobar" Vault policy. User "tesla" itself is associated with "zoobar"
+policy.

 Finally, we can test this by authenticating:

@@ -250,9 +251,9 @@ Password (will be hidden):
 Successfully authenticated! The policies that are associated
 with this token are listed below:

-bar, foo, foobar
+default, foobar, zoobar
 ```

 ## Note on policy mapping

-It should be noted that user -> policy mapping (via group membership) happens at token creation time. And changes in group membership on the LDAP server will not affect tokens that have already been provisioned. To see these changes, old tokens should be revoked and the user should be asked to reauthenticate.
+It should be noted that user -> policy mapping happens at token creation time. And changes in group membership on the LDAP server will not affect tokens that have already been provisioned. To see these changes, old tokens should be revoked and the user should be asked to reauthenticate.