From 1912f72ff269e83f081c7d06d02b8f59968ae0e3 Mon Sep 17 00:00:00 2001 From: Andreas Heider Date: Thu, 2 Aug 2018 14:44:46 +0100 Subject: [PATCH 1/2] Support Authorization header --- README.md | 7 +++++-- path_login.go | 5 +++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 80649bb6..b1ae48ad 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ $ vault write sys/plugins/catalog/kerberos-auth-plugin sha_256="$(shasum -a 256 2. Enable the Kerberos auth method: ```sh -$ vault auth-enable -path=kerberos -plugin-name=kerberos-auth-plugin plugin +$ vault auth-enable -path=kerberos -plugin-name=kerberos-auth-plugin -passthrough-request-headers=Authorization plugin Successfully enabled 'kerberos' at 'kerberos'! ``` @@ -77,7 +77,7 @@ base64 vault.keytab > vault.keytab.base64 vault write auth/kerberos/config keytab=@vault.keytab.base64 service_account="your_service_account" ``` -4. Optionally configure LDAP backend to look up Vault policies. +4. Configure LDAP backend to look up Vault policies. Configuration for LDAP is identical to the [LDAP](https://www.vaultproject.io/docs/auth/ldap.html) auth method, but writing to to the Kerberos endpoint: @@ -86,6 +86,9 @@ vault write auth/kerberos/config/ldap @vault-config/auth/ldap/config vault write auth/kerberos/groups/example-role @vault-config/auth/ldap/groups/example-role ``` +In non-kerberos mode, the LDAP bind and lookup works via the user that is currently trying to authenticate. +If you're running LDAP together with Kerberos you might want to set a binddn/bindpass in the ldap config. + ## Developing If you wish to work on this plugin, you'll first need diff --git a/path_login.go b/path_login.go index 46d70b48..884e813c 100644 --- a/path_login.go +++ b/path_login.go @@ -101,6 +101,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew defer ldapConnection.Close() authorizationString := d.Get("authorization").(string) + authorizationHeaders := req.Headers["Authorization"] + if len(authorizationHeaders) > 0 { + authorizationString = authorizationHeaders[0] + } + s := strings.SplitN(authorizationString, " ", 2) if len(s) != 2 || s[0] != "Negotiate" { return logical.ErrorResponse("Missing or invalid authorization"), nil From 92a2eba036c34646c63775a1afd8b0b548706515 Mon Sep 17 00:00:00 2001 From: Andreas Heider Date: Fri, 3 Aug 2018 10:18:43 +0100 Subject: [PATCH 2/2] Make priority of header over body more explicit --- path_login.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/path_login.go b/path_login.go index 884e813c..5606db12 100644 --- a/path_login.go +++ b/path_login.go @@ -100,10 +100,12 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew // Clean ldap connection defer ldapConnection.Close() - authorizationString := d.Get("authorization").(string) + authorizationString := "" authorizationHeaders := req.Headers["Authorization"] if len(authorizationHeaders) > 0 { authorizationString = authorizationHeaders[0] + } else { + authorizationString = d.Get("authorization").(string) } s := strings.SplitN(authorizationString, " ", 2)