From 0d3c0c09c88535c6d66ff84d95b855d1f9beae8b Mon Sep 17 00:00:00 2001
From: Jakob Beckmann <32326425+f4z3r@users.noreply.github.com>
Date: Thu, 23 Feb 2023 17:16:17 +0100
Subject: [PATCH] feat(auth/ldap): allow passing the LDAP password via an env
 var (#18225)

* feat(auth/ldap): allow passing the LDAP password via an environment variable when authenticating via the CLI

* chore(auth/ldap): add changelog entry for PR 18225
---
 builtin/credential/ldap/cli.go | 24 ++++++++++++++++--------
 changelog/18225.txt            |  3 +++
 2 files changed, 19 insertions(+), 8 deletions(-)
 create mode 100644 changelog/18225.txt

diff --git a/builtin/credential/ldap/cli.go b/builtin/credential/ldap/cli.go
index e0d744b4caadb..bb28ecb2364af 100644
--- a/builtin/credential/ldap/cli.go
+++ b/builtin/credential/ldap/cli.go
@@ -26,12 +26,15 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 	}
 	password, ok := m["password"]
 	if !ok {
-		fmt.Fprintf(os.Stderr, "Password (will be hidden): ")
-		var err error
-		password, err = pwd.Read(os.Stdin)
-		fmt.Fprintf(os.Stderr, "\n")
-		if err != nil {
-			return nil, err
+		password = passwordFromEnv()
+		if password == "" {
+			fmt.Fprintf(os.Stderr, "Password (will be hidden): ")
+			var err error
+			password, err = pwd.Read(os.Stdin)
+			fmt.Fprintf(os.Stderr, "\n")
+			if err != nil {
+				return nil, err
+			}
 		}
 	}
 
@@ -70,8 +73,9 @@ Usage: vault login -method=ldap [CONFIG K=V...]
 Configuration:
 
   password=<string>
-      LDAP password to use for authentication. If not provided, the CLI will
-      prompt for this on stdin.
+      LDAP password to use for authentication. If not provided, it will use
+			the VAULT_LDAP_PASSWORD environment variable. If this is not set, the
+			CLI will prompt for this on stdin.
 
   username=<string>
       LDAP username to use for authentication.
@@ -89,3 +93,7 @@ func usernameFromEnv() string {
 	}
 	return ""
 }
+
+func passwordFromEnv() string {
+	return os.Getenv("VAULT_LDAP_PASSWORD")
+}
diff --git a/changelog/18225.txt b/changelog/18225.txt
new file mode 100644
index 0000000000000..567c3c78da95e
--- /dev/null
+++ b/changelog/18225.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI
+```