From e55636c2e1c8f325d3c80549c8a4d089fa1ecf98 Mon Sep 17 00:00:00 2001 From: kwagga Date: Fri, 6 Dec 2024 14:52:33 +0100 Subject: [PATCH 1/9] Adds an option to enable sAMAccountname logins when upndomain is set --- sdk/helper/ldaputil/config.go | 64 +++++++++++++++----------- sdk/helper/ldaputil/config_test.go | 1 + website/content/api-docs/auth/ldap.mdx | 2 + 3 files changed, 41 insertions(+), 26 deletions(-) diff --git a/sdk/helper/ldaputil/config.go b/sdk/helper/ldaputil/config.go index 9044b19fdaa1..c84ab42a6cdd 100644 --- a/sdk/helper/ldaputil/config.go +++ b/sdk/helper/ldaputil/config.go @@ -256,6 +256,11 @@ Default: ({{.UserAttr}}={{.Username}})`, Description: "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.", Default: 0, }, + "enable_samaccountname_login": { + Type: framework.TypeBool, + Description: "If true, matching sAMAccountName attribute values will be allowed to login when upndomain is defined.", + Default: false, + }, } } @@ -434,6 +439,10 @@ func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry cfg.MaximumPageSize = d.Get("max_page_size").(int) } + if _, ok := d.Raw["enable_samaccountname_login"]; ok || !hadExisting { + cfg.EnableSamaccountnameLogin = d.Get("enable_samaccountname_login").(bool) + } + return cfg, nil } @@ -468,9 +477,10 @@ type ConfigEntry struct { // where the tag was being ignored, causing it to be jsonified as "CaseSensitiveNames", etc. // To continue reading in users' previously stored values, // we chose to carry that forward. - CaseSensitiveNames *bool `json:"CaseSensitiveNames,omitempty"` - ClientTLSCert string `json:"ClientTLSCert"` - ClientTLSKey string `json:"ClientTLSKey"` + CaseSensitiveNames *bool `json:"CaseSensitiveNames,omitempty"` + ClientTLSCert string `json:"ClientTLSCert"` + ClientTLSKey string `json:"ClientTLSKey"` + EnableSamaccountnameLogin bool `json:"EnableSamaccountnameLogin"` } func (c *ConfigEntry) Map() map[string]interface{} { @@ -481,29 +491,30 @@ func (c *ConfigEntry) Map() map[string]interface{} { func (c *ConfigEntry) PasswordlessMap() map[string]interface{} { m := map[string]interface{}{ - "url": c.Url, - "userdn": c.UserDN, - "groupdn": c.GroupDN, - "groupfilter": c.GroupFilter, - "groupattr": c.GroupAttr, - "userfilter": c.UserFilter, - "upndomain": c.UPNDomain, - "userattr": c.UserAttr, - "certificate": c.Certificate, - "insecure_tls": c.InsecureTLS, - "starttls": c.StartTLS, - "binddn": c.BindDN, - "deny_null_bind": c.DenyNullBind, - "discoverdn": c.DiscoverDN, - "tls_min_version": c.TLSMinVersion, - "tls_max_version": c.TLSMaxVersion, - "use_token_groups": c.UseTokenGroups, - "anonymous_group_search": c.AnonymousGroupSearch, - "request_timeout": c.RequestTimeout, - "connection_timeout": c.ConnectionTimeout, - "username_as_alias": c.UsernameAsAlias, - "dereference_aliases": c.DerefAliases, - "max_page_size": c.MaximumPageSize, + "url": c.Url, + "userdn": c.UserDN, + "groupdn": c.GroupDN, + "groupfilter": c.GroupFilter, + "groupattr": c.GroupAttr, + "userfilter": c.UserFilter, + "upndomain": c.UPNDomain, + "userattr": c.UserAttr, + "certificate": c.Certificate, + "insecure_tls": c.InsecureTLS, + "starttls": c.StartTLS, + "binddn": c.BindDN, + "deny_null_bind": c.DenyNullBind, + "discoverdn": c.DiscoverDN, + "tls_min_version": c.TLSMinVersion, + "tls_max_version": c.TLSMaxVersion, + "use_token_groups": c.UseTokenGroups, + "anonymous_group_search": c.AnonymousGroupSearch, + "request_timeout": c.RequestTimeout, + "connection_timeout": c.ConnectionTimeout, + "username_as_alias": c.UsernameAsAlias, + "dereference_aliases": c.DerefAliases, + "max_page_size": c.MaximumPageSize, + "enable_samaccountname_login": c.EnableSamaccountnameLogin, } if c.CaseSensitiveNames != nil { m["case_sensitive_names"] = *c.CaseSensitiveNames @@ -595,6 +606,7 @@ func ConvertConfig(cfg *ConfigEntry) *capldap.ClientConfig { MaximumPageSize: cfg.MaximumPageSize, DerefAliases: cfg.DerefAliases, DeprecatedVaultPre111GroupCNBehavior: cfg.UsePre111GroupCNBehavior, + EnableSamaccountnameLogin: cfg.EnableSamaccountnameLogin, } if cfg.Certificate != "" { diff --git a/sdk/helper/ldaputil/config_test.go b/sdk/helper/ldaputil/config_test.go index b7fd22ccbb2d..8e6b44ae3c81 100644 --- a/sdk/helper/ldaputil/config_test.go +++ b/sdk/helper/ldaputil/config_test.go @@ -179,5 +179,6 @@ var jsonConfigDefault = []byte(` "CaseSensitiveNames": false, "ClientTLSCert": "", "ClientTLSKey": "" + "enable_samaccountname_login": false } `) diff --git a/website/content/api-docs/auth/ldap.mdx b/website/content/api-docs/auth/ldap.mdx index eec8772318e2..bb9f8a44b482 100644 --- a/website/content/api-docs/auth/ldap.mdx +++ b/website/content/api-docs/auth/ldap.mdx @@ -105,6 +105,8 @@ This endpoint configures the LDAP auth method. paged search control. - `use_token_groups` `(bool: true)` - (Optional) Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. +- `enable_samaccountname_login` `(bool: false)` - If true, matching sAMAccountName + attribute values will be allowed to login when `upndomain` is defined. @include 'tokenfields.mdx' From 61a0b90e3bcc8dd8fbf10797f2f96289a8e7ad46 Mon Sep 17 00:00:00 2001 From: kwagga Date: Fri, 6 Dec 2024 15:11:40 +0100 Subject: [PATCH 2/9] Adds an option to enable sAMAccountname logins when upndomain is set --- changelog/29118.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/29118.txt diff --git a/changelog/29118.txt b/changelog/29118.txt new file mode 100644 index 000000000000..cea854a195dc --- /dev/null +++ b/changelog/29118.txt @@ -0,0 +1,3 @@ +```release-note:feature +auth/ldap: Adds an option to enable sAMAccountname logins when upndomain is set. +``` From 8a31983be800004b717cd52f93e468e52cd6c436 Mon Sep 17 00:00:00 2001 From: kwagga Date: Fri, 6 Dec 2024 15:44:11 +0100 Subject: [PATCH 3/9] Updated changelog entry --- changelog/29118.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/29118.txt b/changelog/29118.txt index cea854a195dc..39295ca98a54 100644 --- a/changelog/29118.txt +++ b/changelog/29118.txt @@ -1,3 +1,3 @@ -```release-note:feature +```release-note:improvement auth/ldap: Adds an option to enable sAMAccountname logins when upndomain is set. ``` From 62aa988968d16f12ffacdfeb90ad1f0d99ea3f19 Mon Sep 17 00:00:00 2001 From: Equus quagga Date: Fri, 6 Dec 2024 15:49:44 +0100 Subject: [PATCH 4/9] Update 29118.txt --- changelog/29118.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/29118.txt b/changelog/29118.txt index cea854a195dc..39295ca98a54 100644 --- a/changelog/29118.txt +++ b/changelog/29118.txt @@ -1,3 +1,3 @@ -```release-note:feature +```release-note:improvement auth/ldap: Adds an option to enable sAMAccountname logins when upndomain is set. ``` From 348dc864b74cee4c2166fb0230b1819021f8f7fb Mon Sep 17 00:00:00 2001 From: kwagga Date: Wed, 18 Dec 2024 11:23:31 +0100 Subject: [PATCH 5/9] Updated cap/ldap version due to needed dependency --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 6982f3226f95..cb0f6b2d15be 100644 --- a/go.mod +++ b/go.mod @@ -72,7 +72,7 @@ require ( github.com/google/go-github v17.0.0+incompatible github.com/google/go-metrics-stackdriver v0.2.0 github.com/hashicorp/cap v0.7.0 - github.com/hashicorp/cap/ldap v0.0.0-20240403125925-c0418810d10e + github.com/hashicorp/cap/ldap v0.0.0-20241218111300-43d3999eefa1 github.com/hashicorp/cli v1.1.6 github.com/hashicorp/consul-template v0.39.1 github.com/hashicorp/consul/api v1.29.1 From f7737fb5346650dd23be1e49107cdd629f29fb98 Mon Sep 17 00:00:00 2001 From: kwagga Date: Wed, 18 Dec 2024 11:32:35 +0100 Subject: [PATCH 6/9] Updated cap/ldap version due to needed dependency --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index cb0f6b2d15be..caeacd82246a 100644 --- a/go.mod +++ b/go.mod @@ -72,7 +72,7 @@ require ( github.com/google/go-github v17.0.0+incompatible github.com/google/go-metrics-stackdriver v0.2.0 github.com/hashicorp/cap v0.7.0 - github.com/hashicorp/cap/ldap v0.0.0-20241218111300-43d3999eefa1 + github.com/hashicorp/cap/ldap v0.0.0-20241217213233-43d3999eefa1 github.com/hashicorp/cli v1.1.6 github.com/hashicorp/consul-template v0.39.1 github.com/hashicorp/consul/api v1.29.1 diff --git a/go.sum b/go.sum index ec1dbdad5e95..596e1e284e89 100644 --- a/go.sum +++ b/go.sum @@ -1376,8 +1376,8 @@ github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4= github.com/hashicorp/cap v0.7.0 h1:atLIEU5lJslYXo1qsv7RtUL1HrJVVxnfkErIT3uxLp0= github.com/hashicorp/cap v0.7.0/go.mod h1:UynhCoGX3pxL0OfVrfMzPWAyjMYp96bk11BNTf2zt8o= -github.com/hashicorp/cap/ldap v0.0.0-20240403125925-c0418810d10e h1:IakB/NhT0YtMEGqAf2tViMdBABC2cMAZn3O/mVeg2j4= -github.com/hashicorp/cap/ldap v0.0.0-20240403125925-c0418810d10e/go.mod h1:Ofp5fMLl1ImcwjNGu9FtEwNOdxA0LYoWpcWQE2vltuI= +github.com/hashicorp/cap/ldap v0.0.0-20241217213233-43d3999eefa1 h1:zDa61HKKjqDFL7ccA+kNjjOBopgyup1Dpg6DnRXLG4E= +github.com/hashicorp/cap/ldap v0.0.0-20241217213233-43d3999eefa1/go.mod h1:vGqAhHKOR5gadKWjwhoWp3RKto/tmhVOtH8gcD0c8ss= github.com/hashicorp/cli v1.1.6 h1:CMOV+/LJfL1tXCOKrgAX0uRKnzjj/mpmqNXloRSy2K8= github.com/hashicorp/cli v1.1.6/go.mod h1:MPon5QYlgjjo0BSoAiN0ESeT5fRzDjVRp+uioJ0piz4= github.com/hashicorp/consul-template v0.39.1 h1:MfhPoNENzCVSEXtE7CnIm3JkCzM9K0I7rcJYofm1BYY= From 8e66eaad18b391b649be35a1cde8f2964c9e5d67 Mon Sep 17 00:00:00 2001 From: kwagga Date: Wed, 18 Dec 2024 11:45:12 +0100 Subject: [PATCH 7/9] Restart CI From 34f77c568d634eeb20631c8687b8b3eed8b6bdfe Mon Sep 17 00:00:00 2001 From: kwagga Date: Wed, 18 Dec 2024 12:21:23 +0100 Subject: [PATCH 8/9] Updated LDAP api-docs and docs describing the enable_samaccountname_login option --- website/content/api-docs/auth/ldap.mdx | 5 +++-- website/content/docs/auth/ldap.mdx | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/website/content/api-docs/auth/ldap.mdx b/website/content/api-docs/auth/ldap.mdx index bb9f8a44b482..68214847afc2 100644 --- a/website/content/api-docs/auth/ldap.mdx +++ b/website/content/api-docs/auth/ldap.mdx @@ -105,8 +105,9 @@ This endpoint configures the LDAP auth method. paged search control. - `use_token_groups` `(bool: true)` - (Optional) Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. -- `enable_samaccountname_login` `(bool: false)` - If true, matching sAMAccountName - attribute values will be allowed to login when `upndomain` is defined. +- `enable_samaccountname_login` `(bool: false)` - (Optional) If true, Active Directory + LDAP users can login using `sAMAccountName` in addition to the `userPrincipalName` + attribute value when `upndomain` is defined. @include 'tokenfields.mdx' diff --git a/website/content/docs/auth/ldap.mdx b/website/content/docs/auth/ldap.mdx index cead3960ef6f..5673e9fad903 100644 --- a/website/content/docs/auth/ldap.mdx +++ b/website/content/docs/auth/ldap.mdx @@ -144,6 +144,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m #### Binding - user principal name (AD) - `upndomain` (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind as `username@example.com`. +- `enable_samaccountname_login` (bool, optional) - If true, Active Directory LDAP users can login using `sAMAccountName` in addition to the `userPrincipalName` attribute value when `upndomain` is defined. ### Group membership resolution From c2b3aaf8c1c66421c82d83384f6c7c7652690498 Mon Sep 17 00:00:00 2001 From: kwagga Date: Fri, 20 Dec 2024 11:21:42 +0100 Subject: [PATCH 9/9] Added missing comma in config_test.go --- sdk/helper/ldaputil/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/helper/ldaputil/config_test.go b/sdk/helper/ldaputil/config_test.go index 8e6b44ae3c81..e6aa02fb05c7 100644 --- a/sdk/helper/ldaputil/config_test.go +++ b/sdk/helper/ldaputil/config_test.go @@ -178,7 +178,7 @@ var jsonConfigDefault = []byte(` "max_page_size": 0, "CaseSensitiveNames": false, "ClientTLSCert": "", - "ClientTLSKey": "" + "ClientTLSKey": "", "enable_samaccountname_login": false } `)