Support LDAP username_as_alias Attribute (#1460)

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
hashicorp · Jun 1, 2022 · 7205d99 · 7205d99
1 parent ac99471
commit 7205d99
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/vault/resource_ldap_auth_backend.go b/vault/resource_ldap_auth_backend.go
@@ -108,6 +108,12 @@ func ldapAuthBackendResource() *schema.Resource {
 			Optional: true,
 			Computed: true,
 		},
+		"username_as_alias": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Computed:    true,
+			Description: "Force the auth method to use the username passed by the user as the alias name.",
+		},
 		"use_token_groups": {
 			Type:     schema.TypeBool,
 			Optional: true,
@@ -273,6 +279,10 @@ func ldapAuthBackendUpdate(ctx context.Context, d *schema.ResourceData, meta int
 		data["groupattr"] = v.(string)
 	}
 
+	if v, ok := d.GetOkExists("username_as_alias"); ok {
+		data["username_as_alias"] = v.(bool)
+	}
+
 	if v, ok := d.GetOkExists("use_token_groups"); ok {
 		data["use_token_groups"] = v.(bool)
 	}
@@ -354,6 +364,7 @@ func ldapAuthBackendRead(_ context.Context, d *schema.ResourceData, meta interfa
 	d.Set("groupfilter", resp.Data["groupfilter"])
 	d.Set("groupdn", resp.Data["groupdn"])
 	d.Set("groupattr", resp.Data["groupattr"])
+	d.Set("username_as_alias", resp.Data["username_as_alias"])
 	d.Set("use_token_groups", resp.Data["use_token_groups"])
 
 	// `bindpass`, `client_tls_cert` and `client_tls_key` cannot be read out from the API

diff --git a/vault/resource_ldap_auth_backend_test.go b/vault/resource_ldap_auth_backend_test.go
@@ -198,6 +198,7 @@ func testLDAPAuthBackendCheck_attrs(path string) resource.TestCheckFunc {
 			"deny_null_bind":       "deny_null_bind",
 			"upndomain":            "upndomain",
 			"groupfilter":          "groupfilter",
+			"username_as_alias":    "username_as_alias",
 			"groupdn":              "groupdn",
 			"groupattr":            "groupattr",
 			"use_token_groups":     "use_token_groups",
@@ -284,7 +285,8 @@ resource "vault_ldap_auth_backend" "test" {
     discoverdn             = false
     deny_null_bind         = true
     description            = "example"
-	userfilter             = "({{.UserAttr}}={{.Username}})"
+    userfilter             = "({{.UserAttr}}={{.Username}})"
+    username_as_alias      = true
     use_token_groups = %s
 }
 `, path, local, use_token_groups)

diff --git a/website/docs/r/ldap_auth_backend.html.md b/website/docs/r/ldap_auth_backend.html.md
@@ -67,6 +67,8 @@ The following arguments are supported:
 
 * `groupattr` - (Optional) LDAP attribute to follow on objects returned by groupfilter
 
+* `username_as_alias` - (Optional) Force the auth method to use the username passed by the user as the alias name.
+
 * `use_token_groups` - (Optional) Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
 
 * `path` - (Optional) Path to mount the LDAP auth backend under