Skip to content
This repository was archived by the owner on Nov 24, 2021. It is now read-only.

Commit d027312

Browse files
ah-ah-
authored
Merge pull request #14 from wintoncode/support_authorization_header
Support Authorization header
2 parents c9804b3 + 92a2eba commit d027312

File tree

2 files changed

+13
-3
lines changed

2 files changed

+13
-3
lines changed

README.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ $ vault write sys/plugins/catalog/kerberos-auth-plugin sha_256="$(shasum -a 256
5050
2. Enable the Kerberos auth method:
5151

5252
```sh
53-
$ vault auth-enable -path=kerberos -plugin-name=kerberos-auth-plugin plugin
53+
$ vault auth-enable -path=kerberos -plugin-name=kerberos-auth-plugin -passthrough-request-headers=Authorization plugin
5454
Successfully enabled 'kerberos' at 'kerberos'!
5555
```
5656

@@ -77,7 +77,7 @@ base64 vault.keytab > vault.keytab.base64
7777
vault write auth/kerberos/config [email protected] service_account="your_service_account"
7878
```
7979

80-
4. Optionally configure LDAP backend to look up Vault policies.
80+
4. Configure LDAP backend to look up Vault policies.
8181
Configuration for LDAP is identical to the [LDAP](https://www.vaultproject.io/docs/auth/ldap.html)
8282
auth method, but writing to to the Kerberos endpoint:
8383

@@ -86,6 +86,9 @@ vault write auth/kerberos/config/ldap @vault-config/auth/ldap/config
8686
vault write auth/kerberos/groups/example-role @vault-config/auth/ldap/groups/example-role
8787
```
8888

89+
In non-kerberos mode, the LDAP bind and lookup works via the user that is currently trying to authenticate.
90+
If you're running LDAP together with Kerberos you might want to set a binddn/bindpass in the ldap config.
91+
8992
## Developing
9093

9194
If you wish to work on this plugin, you'll first need

path_login.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
100100
// Clean ldap connection
101101
defer ldapConnection.Close()
102102

103-
authorizationString := d.Get("authorization").(string)
103+
authorizationString := ""
104+
authorizationHeaders := req.Headers["Authorization"]
105+
if len(authorizationHeaders) > 0 {
106+
authorizationString = authorizationHeaders[0]
107+
} else {
108+
authorizationString = d.Get("authorization").(string)
109+
}
110+
104111
s := strings.SplitN(authorizationString, " ", 2)
105112
if len(s) != 2 || s[0] != "Negotiate" {
106113
return logical.ErrorResponse("Missing or invalid authorization"), nil

0 commit comments

Comments
 (0)