Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- set -aex
- # Create namespace foo
- vault namespace create foo
- # Create policy in root namespace for foo's admin
- vault policy write foo-ns-admin - <<EOF
- path "foo/auth/*"
- {
- capabilities = ["create", "read", "update", "delete", "list", "sudo"]
- }
- path "foo/sys/auth"
- {
- capabilities = ["create", "read", "update", "delete", "list", "sudo"]
- }
- path "foo/sys/auth/*"
- {
- capabilities = ["create", "read", "update", "delete", "list", "sudo"]
- }
- path "identity/*"
- {
- capabilities = ["read", "list"]
- }
- path "foo/identity/*"
- {
- capabilities = ["create", "read", "update", "delete", "list", "sudo"]
- }
- path "foo/sys/policies"
- {
- capabilities = ["create", "read", "update", "delete", "list", "sudo"]
- }
- path "foo/sys/policies/*"
- {
- capabilities = ["create", "read", "update", "delete", "list", "sudo"]
- }
- path "foo/sys/policy"
- {
- capabilities = ["read", "update", "list"]
- }
- path "foo/sys/policy/*"
- {
- capabilities = ["create", "read", "update", "delete", "list", "sudo"]
- }
- path "foo/sys/capabilities-self"
- {
- capabilities = ["read", "update", "list"]
- }
- path "foo/sys/mounts"
- {
- capabilities = ["read", "list"]
- }
- path "foo/sys/mounts/*"
- {
- capabilities = ["create", "read", "update", "delete", "list", "sudo"]
- }
- path "foo/sys/namespaces"
- {
- capabilities = ["read", "list"]
- }
- path "foo/sys/namespaces/*"
- {
- capabilities = ["create", "update", "delete", "list"]
- }
- EOF
- # Mount and configure LDAP Auth
- cat > ldapConfig -<<EOF
- {
- "url": "ldap://ldap.forumsys.com",
- "userattr": "uid",
- "userdn": "dc=example,dc=com",
- "groupdn": "dc=example,dc=com",
- "binddn": "cn=read-only-admin,dc=example,dc=com"
- }
- EOF
- vault auth enable ldap
- vault write auth/ldap/config @ldapConfig
- vault write auth/ldap/groups/dev policies=foo-ns-admin
- vault write auth/ldap/users/tesla groups=dev
- # Create an external group and a respective group alias
- devGroupID=$(vault write -format json identity/group name=dev type=external | jq -r '.data.id')
- ldapMountAccessor=$(vault auth list -format json | jq -r '.["ldap/"].accessor')
- vault write identity/group-alias name=dev mount_accessor=$ldapMountAccessor canonical_id=$devGroupID
- # Login using LDAP to get a client token
- clientToken=$(vault write -format json auth/ldap/login/tesla password=password | jq -r '.auth.client_token')
- vault token lookup $clientToken
- # Delete namespace foo and see if the login still works
- vault namespace delete foo
- vault write auth/ldap/login/tesla password=password
Add Comment
Please, Sign In to add comment