Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # These need values
- SERVICE_CN=
- LDAP_BINDDN_PASSWORD=
- # Change if this isn't the right user to search on. Most likely fine
- USERNAME=
- # Most likely OK, but can be changed if necessary
- LDAP_URI=
- LDAP_BINDDN=
- USER_BASE_DN=
- GROUP_BASE_DN=
- # Wrapped ldap search function to make queries easier
- ldap_s () {
- ldapsearch -LLL \
- -H "${LDAP_URI}" \
- -w ${LDAP_BINDDN_PASSWORD} \
- -D "${LDAP_BINDDN}" \
- -b "${SEARCH_BASE}" \
- "${FILTER}" \
- ${ATTRIBUTES}
- }
- #### QUERY 1 ####
- #
- # This should return a list of groupDNs the user belongs to
- # Also returns the user's DN for usage later
- FILTER="(&(objectClass=person)(sAMAccountName=${USERNAME}))"
- ATTRIBUTES="memberOf dn"
- SEARCH_BASE=${USER_BASE_DN}
- ldap_s
- # QUERY 1 VAULT CONFIG
- vault write auth/ldap/config \
- url="${LDAP_URI}" \
- binddn="${LDAP_BINDDN}" \
- bindpass="${LDAP_BINDDN_PASSWORD}" \
- userdn="${USER_BASE_DN}" \
- groupdn="${GROUP_BASE_DN}" \
- insecure_tls=true \
- starttls=false \
- userattr=sAMAccountName \
- groupfilter="(&(objectClass=person)(sAMAccountName={{.Username}}))" \
- groupattr="memberOf"
- # Uncomment if this is corrrect
- USER_DN=
- #
- # Paste the DN from QUERY 1 if not correct and uncomment
- #USER_DN=
- #### QUERY 2 ####
- #
- # This should return a list of Group CNs the user is a member of
- FILTER="(&(objectClass=group)(member=${USER_DN}))"
- ATTRIBUTES="cn"
- SEARCH_BASE=${GROUP_BASE_DN}
- ldap_s
- # QUERY 2 VAULT CONFIG
- vault write auth/ldap/config \
- url="${LDAP_URI}" \
- binddn="${LDAP_BINDDN}" \
- bindpass="${LDAP_BINDDN_PASSWORD}" \
- userdn="${USER_BASE_DN}" \
- groupdn="${GROUP_BASE_DN}" \
- insecure_tls=true \
- starttls=false \
- userattr=sAMAccountName \
- groupfilter="(&(objectClass=group)(member={{.UserDN}}))" \
- groupattr="cn"
- #### QUERY 3 ####
- #
- # This should return a list of Group CNs the user is a member of
- # Used for nested groups in DN
- FILTER="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=${USER_DN}))"
- ATTRIBUTES="cn"
- SEARCH_BASE=${GROUP_BASE_DN}
- ldap_s
- # QUERY 3 VAULT CONFIG
- vault write auth/ldap/config \
- url="${LDAP_URI}" \
- binddn="${LDAP_BINDDN}" \
- bindpass="${LDAP_BINDDN_PASSWORD}" \
- userdn="${USER_BASE_DN}" \
- groupdn="${GROUP_BASE_DN}" \
- insecure_tls=true \
- starttls=false \
- userattr=sAMAccountName \
- groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
- groupattr="cn"
- cat > policy.hcl <<EOF
- path "secret/*" {
- capabilities = ["create", "read" ,"update", "list", "delete"]
- }
- EOF
- vault policy write test-policy policy.hcl
Add Comment
Please, Sign In to add comment