LDAP
Configure LDAP Secrets Secrets Engine
Configure the LDAP secrets engine to either manage service accounts or service account libraries.
Source reference: hvac.api.secrets_engines.ldap.configure()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
# Not all these settings may apply to your setup, refer to Vault
# documentation for context of what to use here
config_response = client.secrets.ldap.configure(
binddn='username@domain.fqdn', # A upn or DN can be used for this value, Vault resolves the user to a dn silently
bindpass='***********',
url='ldaps://domain.fqdn',
userdn='cn=Users,dn=domain,dn=fqdn',
upndomain='domain.fqdn',
userattr="cn",
schema="openldap"
)
print(config_response)
Read Config
Return the LDAP Secret Engine configuration.
Source reference: hvac.api.secrets_engines.ldap.read_config()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
config_response = client.secrets.ldap.read_config()
Rotate Root
Rotate the password for the binddn entry used to manage LDAP. This generated password will only be known to Vault and will not be retrievable once rotated.
Source reference: hvac.api.secrets_engines.ldap.rotate_root()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
rotate_response = client.secrets.ldap.rotate_root()
Create or Update Static Role
Create or Update a role which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().
Source reference: hvac.api.secrets_engines.ldap.create_or_update_static_role()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
role_response = client.secrets.ldap.create_or_update_static_role(
name='hvac-role',
username='sql-service-account',
dn='cn=sql-service-account,dc=petshop,dc=com',
rotation_period="60s")
Read Static Role
Retrieve the role configuration which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().
Source reference: hvac.api.secrets_engines.ldap.read_static_role()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
role_response = client.secrets.ldap.read_static_role(name='sql-service-account')
List Static Roles
List all configured roles which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().
Source reference: hvac.api.secrets_engines.ldap.list_static_roles()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
all_static_roles = client.secrets.ldap.list_static_roles()
Delete Static Role
Remove the role configuration which allows the retrieval and rotation of an LDAP account.
Passwords are not rotated upon deletion of a static role. The password should be manually rotated prior to deleting the role or revoking access to the static role.
Source reference: hvac.api.secrets_engines.ldap.delete_static_role()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
deletion_response = client.secrets.ldap.delete_static_role(name='sql-service-account')
Generate Static Credentials
Retrieve a service account password from LDAP. Return the previous password (if known). Vault shall rotate the password before returning it, if it has breached its configured ttl.
Source reference: hvac.api.secrets_engines.ldap.generate_static_credentials()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
gen_creds_response = client.secrets.ldap.generate_static_credentials(
name='hvac-role',
)
print('Retrieved Service Account Password: {access} (Current) / {secret} (Old)'.format(
access=gen_creds_response['data']['current_password'],
secret=gen_creds_response['data']['old_password'],
))
Rotate Static Credentials
Manually rotate the password of an existing role.
Source reference: hvac.api.secrets_engines.ldap.rotate_static_credentials()
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
rotate_response = client.secrets.ldap.rotate_static_credentials(name='hvac-role')