Skip to content
This repository has been archived by the owner on Nov 24, 2021. It is now read-only.

Commit

Permalink
Merge pull request #14 from wintoncode/support_authorization_header
Browse files Browse the repository at this point in the history 
Support Authorization header
  • Loading branch information
@ah-
ah- authored Aug 3, 2018
2 parents c9804b3 + 92a2eba commit d027312
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 3 deletions.
7 changes: 5 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ $ vault write sys/plugins/catalog/kerberos-auth-plugin sha_256="$(shasum -a 256
2. Enable the Kerberos auth method:

```sh
$ vault auth-enable -path=kerberos -plugin-name=kerberos-auth-plugin plugin
$ vault auth-enable -path=kerberos -plugin-name=kerberos-auth-plugin -passthrough-request-headers=Authorization plugin
Successfully enabled 'kerberos' at 'kerberos'!
```

Expand All @@ -77,7 +77,7 @@ base64 vault.keytab > vault.keytab.base64
vault write auth/kerberos/config [email protected] service_account="your_service_account"
```

4. Optionally configure LDAP backend to look up Vault policies.
4. Configure LDAP backend to look up Vault policies.
Configuration for LDAP is identical to the [LDAP](https://www.vaultproject.io/docs/auth/ldap.html)
auth method, but writing to to the Kerberos endpoint:

Expand All @@ -86,6 +86,9 @@ vault write auth/kerberos/config/ldap @vault-config/auth/ldap/config
vault write auth/kerberos/groups/example-role @vault-config/auth/ldap/groups/example-role
```

In non-kerberos mode, the LDAP bind and lookup works via the user that is currently trying to authenticate.
If you're running LDAP together with Kerberos you might want to set a binddn/bindpass in the ldap config.

## Developing

If you wish to work on this plugin, you'll first need
Expand Down
9 changes: 8 additions & 1 deletion path_login.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
// Clean ldap connection
defer ldapConnection.Close()

authorizationString := d.Get("authorization").(string)
authorizationString := ""
authorizationHeaders := req.Headers["Authorization"]
if len(authorizationHeaders) > 0 {
authorizationString = authorizationHeaders[0]
} else {
authorizationString = d.Get("authorization").(string)
}

s := strings.SplitN(authorizationString, " ", 2)
if len(s) != 2 || s[0] != "Negotiate" {
return logical.ErrorResponse("Missing or invalid authorization"), nil
Expand Down

0 comments on commit d027312

Please sign in to comment.