LDAP feature - Push mode to be able to set predetermined password #12135
Comments
|
Hi @avoidik! Can you go into a little more detail as to the sort of solution you'd be looking for? Or what workaround you'd utilize to get this resolved? That'll help us figure out a bit better whether this is already a known request or if we need to think about it more in-depth. Thanks! :) |
|
Hello @hsimon-hashicorp I'll do my best, in the current implementation there is only one possible way to get LDAP secrets, is to request LDAP role's credentials from Vault API (let's name it as pull-mode), the idea behind this feature is to establish a backward channel, so that Vault user having enough permissions will be able to "preseed" LDAP role with predetermined credentials by sending API request to Vault, potentially based on the option flag, to make it happen only once, or as many times as needed (let's name it as push-mode with lock and without lock respectively). I hope my explanation is net positive. Please let me know if I need to expand my example further. |
|
@avoidik Just to clarify, do you mean the OpenLDAP secrets engine, or the LDAP auth method? Based on your mention of the API, I'm thinking it's OpenLDAP secrets engine, but I want to make sure. Thanks! :) |
|
yes, it's about openldap |
Is your feature request related to a problem? Please describe.
I'd like to be able to set my predetermined password so that connected service can bootstrap itself
Describe the solution you'd like
Push mode in addition to available pull mode, similar to AppRole model
Describe alternatives you've considered
Weird workaround based on KV backend
Explain any additional use-cases
Additional context
The text was updated successfully, but these errors were encountered: