Supports rotate-root when ldap is configured with userattr="userPrincipalName".
When setting both a userattr and a upndomain in the config, previous versions of the secrets engine would error out, since it expected a full DN. With this change, we now correctly can perform searches against the specified userattr.
vault write ldap/config \
url="ldap://localhost:389" \
userdn="dc=corp,dc=example,dc=net" \
userattr="userPrincipalName" \
upndomain="corp.example.net" \
insecure_tls="true" \
binddn="Bob" \
schema=ad \
starttls=true
Success! Data written to: ldap/config
vault write -f ldap/rotate-root
Success! Data written to: ldap/rotate-root
In the above example, the secrets engine will apply a search filter dc=corp,dc=example,dc=net as the baseDN, and a search filter of (&(objectClass=*)(userPrincipalName=Bob@corp.example.net))
Overview
Supports rotate-root when ldap is configured with
userattr="userPrincipalName". When setting both auserattrand aupndomainin the config, previous versions of the secrets engine would error out, since it expected a full DN. With this change, we now correctly can perform searches against the specifieduserattr.In the above example, the secrets engine will apply a search filter
dc=corp,dc=example,dc=netas the baseDN, and a search filter of(&(objectClass=*)(userPrincipalName=Bob@corp.example.net))Also tested other variations manually:
schema=openldapschema=ad&&userattr=dn