Creates a LDAP Secret Backend for Vault.
resource "vault_ldap_secret_backend" "config" {
path = "my-custom-ldap"
binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"
bindpass = "SuperSecretPassw0rd"
url = "ldaps://localhost"
insecure_tls = "true"
userdn = "CN=Users,DC=corp,DC=example,DC=net"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
path
- (Optional) The unique path this backend should be mounted at. Must
not begin or end with a /
. Defaults to ldap
.
binddn
- (Required) Distinguished name of object to bind when performing user and group search.
bindpass
- (Required) Password to use along with binddn when performing user search.
certificate
- (Optional) CA certificate to use when verifying LDAP server certificate, must be
x509 PEM encoded.
connection_timeout
- (Optional) Timeout, in seconds, when attempting to connect to the LDAP server before trying
the next URL in the configuration.
client_tls_cert
- (Optional) Client certificate to provide to the LDAP server, must be x509 PEM encoded.
client_tls_key
- (Optional) Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
default_lease_ttl_seconds
- (Optional) Default lease duration for secrets in seconds.
description
- (Optional) Human-friendly description of the mount for the Active Directory backend.
insecure_tls
- (Optional) Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to false
.
local
- (Optional) Mark the secrets engine as local-only. Local engines are not replicated or removed by
replication.Tolerance duration to use when checking the last rotation time.
max_lease_ttl_seconds
- (Optional) Maximum possible lease duration for secrets in seconds.
password_policy
- (Optional) Name of the password policy to use to generate passwords.
request_timeout
- (Optional) Timeout, in seconds, for the connection when making requests against the server
before returning back an error.
starttls
- (Optional) Issue a StartTLS command after establishing unencrypted connection.
schema
- (Optional) The LDAP schema to use when storing entry passwords. Valid schemas include openldap
, ad
, and racf
. Default is openldap
.
upndomain
- (Optional) Enables userPrincipalDomain login with [username]@UPNDomain.
url
- (Required) LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1
.
userattr
- (Optional) Attribute used when searching users. Defaults to cn
.
userdn
- (Optional) LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
skip_static_role_import_rotation
- (Optional) If set to true, static roles will not be rotated during import.
Defaults to false. Requires Vault 1.16 or above.
No additional attributes are exported by this resource.
LDAP secret backend can be imported using the ${mount}/config
, e.g.
$ terraform import vault_ldap_secret_backend.config ldap/config