API tools faq
paste
Guest User

Untitled

a guest
Aug 1st, 2018
101
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.52 KB | None | 0 0
raw download clone embed print report
  1. # These need values
  2. SERVICE_CN=
  3. LDAP_BINDDN_PASSWORD=
  4.  
  5. # Change if this isn't the right user to search on. Most likely fine
  6. USERNAME=
  7.  
  8.  
  9. # Most likely OK, but can be changed if necessary
  10. LDAP_URI=
  11. LDAP_BINDDN=
  12. USER_BASE_DN=
  13. GROUP_BASE_DN=
  14.  
  15.  
  16. # Wrapped ldap search function to make queries easier
  17. ldap_s () {
  18. ldapsearch -LLL \
  19. -H "${LDAP_URI}" \
  20. -w ${LDAP_BINDDN_PASSWORD} \
  21. -D "${LDAP_BINDDN}" \
  22. -b "${SEARCH_BASE}" \
  23. "${FILTER}" \
  24. ${ATTRIBUTES}
  25. }
  26.  
  27. #### QUERY 1 ####
  28. #
  29. # This should return a list of groupDNs the user belongs to
  30. # Also returns the user's DN for usage later
  31.  
  32. FILTER="(&(objectClass=person)(sAMAccountName=${USERNAME}))"
  33. ATTRIBUTES="memberOf dn"
  34. SEARCH_BASE=${USER_BASE_DN}
  35. ldap_s
  36.  
  37. # QUERY 1 VAULT CONFIG
  38. vault write auth/ldap/config \
  39. url="${LDAP_URI}" \
  40. binddn="${LDAP_BINDDN}" \
  41. bindpass="${LDAP_BINDDN_PASSWORD}" \
  42. userdn="${USER_BASE_DN}" \
  43. groupdn="${GROUP_BASE_DN}" \
  44. insecure_tls=true \
  45. starttls=false \
  46. userattr=sAMAccountName \
  47. groupfilter="(&(objectClass=person)(sAMAccountName={{.Username}}))" \
  48. groupattr="memberOf"
  49.  
  50. # Uncomment if this is corrrect
  51. USER_DN=
  52. #
  53. # Paste the DN from QUERY 1 if not correct and uncomment
  54. #USER_DN=
  55.  
  56. #### QUERY 2 ####
  57. #
  58. # This should return a list of Group CNs the user is a member of
  59.  
  60. FILTER="(&(objectClass=group)(member=${USER_DN}))"
  61. ATTRIBUTES="cn"
  62. SEARCH_BASE=${GROUP_BASE_DN}
  63. ldap_s
  64.  
  65. # QUERY 2 VAULT CONFIG
  66. vault write auth/ldap/config \
  67. url="${LDAP_URI}" \
  68. binddn="${LDAP_BINDDN}" \
  69. bindpass="${LDAP_BINDDN_PASSWORD}" \
  70. userdn="${USER_BASE_DN}" \
  71. groupdn="${GROUP_BASE_DN}" \
  72. insecure_tls=true \
  73. starttls=false \
  74. userattr=sAMAccountName \
  75. groupfilter="(&(objectClass=group)(member={{.UserDN}}))" \
  76. groupattr="cn"
  77.  
  78.  
  79. #### QUERY 3 ####
  80. #
  81. # This should return a list of Group CNs the user is a member of
  82. # Used for nested groups in DN
  83.  
  84. FILTER="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=${USER_DN}))"
  85. ATTRIBUTES="cn"
  86. SEARCH_BASE=${GROUP_BASE_DN}
  87. ldap_s
  88.  
  89. # QUERY 3 VAULT CONFIG
  90. vault write auth/ldap/config \
  91. url="${LDAP_URI}" \
  92. binddn="${LDAP_BINDDN}" \
  93. bindpass="${LDAP_BINDDN_PASSWORD}" \
  94. userdn="${USER_BASE_DN}" \
  95. groupdn="${GROUP_BASE_DN}" \
  96. insecure_tls=true \
  97. starttls=false \
  98. userattr=sAMAccountName \
  99. groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
  100. groupattr="cn"
  101.  
  102.  
  103. cat > policy.hcl <<EOF
  104. path "secret/*" {
  105. capabilities = ["create", "read" ,"update", "list", "delete"]
  106. }
  107. EOF
  108.  
  109. vault policy write test-policy policy.hcl
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!