Vault: Support listing ldap group to policy mappings

Created on 30 Mar 2016  路  1Comment  路  Source: hashicorp/vault

I would very much like to have to be able to periodically review which ldap groups gives which policies. Currently this requires you to know up front which groups are configured since the auth/ldap/groups path does not support listing. These groups does not even need to exist in ldap, so iterating over all ldap groups does not work either.

Worst case scenario, this could allow a illoyal vault admin to create a backdoor that other vault admins can not find and plug. More likely scenario is that some mapping is created and later forgotten leaving certain users with more accesses than they were supposed to

picture sigmunau

Most helpful comment

I've slotted it in for 0.6 currently, and we'll see if we can get to it for that milestone. It's pretty simple to do, so PRs are welcome if you're interested :-)

picture jefferai on 30 Mar 2016
👍3

>All comments

I've slotted it in for 0.6 currently, and we'll see if we can get to it for that milestone. It's pretty simple to do, so PRs are welcome if you're interested :-)

jefferai picture jefferai on 30 Mar 2016
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

maxsivanov picture maxsivanov  路  3Comments
anthonyGuo picture anthonyGuo  路  3Comments
narayan8291 picture narayan8291  路  3Comments
jasonmcintosh picture jasonmcintosh  路  3Comments
andris9 picture andris9  路  3Comments