Feature request: Allow configuration of kerberos authentication backend #1723
Comments
|
It's really odd to me that this isn't in the provider already. |
|
Just found that these resources are missing so I'm going to implement them as this auth backend is essentially unmanaged in our Vault. The one bit I've got stuck on is the resource for managing the I'm not sure how to manage that in a resource, normally I find another resource that behaves similarly and use its code as inspiration but I'm struggling to think of a suitable resource. I also wonder how that will affect the importability of this resource if it can never read the keytab value. |
|
A dedicated However, in the meantime, it's possible to create and manage a Kerberos backend using the resource "vault_auth_backend" "kerberos" {
type = "kerberos"
tune {
passthrough_request_headers = ["Authorization"]
allowed_response_headers = ["www-authenticate"]
}
}
resource "vault_generic_endpoint" "kerberos" {
path = "auth/${vault_auth_backend.kerberos.path}/config"
data_json = jsonencode({
keytab = filebase64("kerberos.keytab") # don't do this in production
service_account = "example"
})
ignore_absent_fields = true
disable_delete = true
}
resource "vault_generic_endpoint" "kerberos_ldap" {
path = "auth/${vault_auth_backend.kerberos.path}/config/ldap"
data_json = jsonencode({
url = "ldaps://example.com"
binddn = "cn=example,ou=Users,dc=example,dc=com"
bindpass = "example" # don't do this in production either
userdn = "dc=example,dc=com"
groupdn = "dc=example,dc=com"
upndomain = "EXAMPLE.COM"
})
ignore_absent_fields = true
disable_delete = true
} |
There currently doesn't seem to be a way to configure the Kerberos authentication backend with this provider.
We'd need resources like
vault_kerberos_auth_backend.The text was updated successfully, but these errors were encountered: