Configure the LDAP secrets engine to either manage service accounts or service account libraries.
Source reference: :pyhvac.api.secrets_engines.ldap.configure
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
# Not all these settings may apply to your setup, refer to Vault
# documentation for context of what to use here
config_response = client.secrets.ldap.configure(
binddn='username@domain.fqdn', # A upn or DN can be used for this value, Vault resolves the user to a dn silently
bindpass='***********',
url='ldaps://domain.fqdn',
userdn='cn=Users,dn=domain,dn=fqdn',
upndomain='domain.fqdn',
userattr="cn",
schema="openldap"
)
print(config_response)
Return the LDAP Secret Engine configuration.
Source reference: :pyhvac.api.secrets_engines.ldap.read_config
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
config_response = client.secrets.ldap.read_config()
Rotate the password for the binddn entry used to manage LDAP. This generated password will only be known to Vault and will not be retrievable once rotated.
Source reference: :pyhvac.api.secrets_engines.ldap.rotate_root
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
rotate_response = client.secrets.ldap.rotate_root()
Create or Update a role which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().
Source reference: :pyhvac.api.secrets_engines.ldap.create_or_update_static_role
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
role_response = client.secrets.ldap.create_or_update_static_role(
name='hvac-role',
username='sql-service-account',
dn='cn=sql-service-account,dc=petshop,dc=com',
rotation_period="60s")
Retrieve the role configuration which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().
Source reference: :pyhvac.api.secrets_engines.ldap.read_static_role
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
role_response = client.secrets.ldap.read_static_role(name='sql-service-account')
List all configured roles which allows the retrieval and rotation of an LDAP account. Retrieve and rotate the actual credential via generate_static_credentials().
Source reference: :pyhvac.api.secrets_engines.ldap.list_static_roles
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
all_static_roles = client.secrets.ldap.list_static_roles()
Remove the role configuration which allows the retrieval and rotation of an LDAP account.
Passwords are not rotated upon deletion of a static role. The password should be manually rotated prior to deleting the role or revoking access to the static role.
Source reference: :pyhvac.api.secrets_engines.ldap.delete_static_role
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
deletion_response = client.secrets.ldap.delete_static_role(name='sql-service-account')
Retrieve a service account password from LDAP. Return the previous password (if known). Vault shall rotate the password before returning it, if it has breached its configured ttl.
Source reference: :pyhvac.api.secrets_engines.ldap.generate_static_credentials
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
gen_creds_response = client.secrets.ldap.generate_static_credentials(
name='hvac-role',
)
print('Retrieved Service Account Password: {access} (Current) / {secret} (Old)'.format(
access=gen_creds_response['data']['current_password'],
secret=gen_creds_response['data']['old_password'],
))
Manually rotate the password of an existing role.
Source reference: :pyhvac.api.secrets_engines.ldap.rotate_static_credentials
import hvac
client = hvac.Client()
# Authenticate to Vault using client.auth.x
rotate_response = client.secrets.ldap.rotate_static_credentials(name='hvac-role')