Vault: Allow token TTL to be configured for LDAP backend

It doesn't set it to the max; it sets it to the default, but the default and the max are out-of-the-box both set to 30 days. This is changeable at the system level and at the mount level; see a very detailed explanation at https://www.vaultproject.io/docs/concepts/tokens.html

Since LDAP doesn't support different roles with different connections per role, there isn't much reason to have it support ttl/max ttl natively in favor of setting the mount ttl/max ttl. I suppose we could do a per-user ttl/max ttl or per-group, but that would add enough complexity (since users might match to more than one group) that we're looking at a rewrite that supports roles being the easier option. And that's not currently planned :-D

Reading through the documentation, it appears most of the other auth. backends support setting a TTL including AppRole, GitHub, Tokens, Usernames & Password, etc. It would make sense to me to provide TTL for LDAP just for consistency sake.

The vault tune solutions works perfectly though. For anyone else I was able to run "vault mount-tune -default-lease-ttl=1h /auth/ldap" to change the default TTL when using LDAP.

Based on the documentation, I thought only items returned from vault mounts could be tuned, but it appears to be broader.

It appears, that if we want to get a token with non-standard TTL out of ldap auth backend the only option is to get one with the default ttl, create a new one with the ttl we need and then revoke the original one. It's a bit cumbersome, and requires root/sudo (for -orphan flag), so having an explicit option for that the same way as those other backends would be nice.

@jefferai Could you please explain a bit more regarding this comment:

Since LDAP doesn't support different roles with different connections per role, there isn't much reason to have it support ttl/max ttl natively"

Neither Tokens nor Usernames & Password backends "support different roles with different connections per role", yet they do have the ttl option. What makes ldap different?

I would like to add that this feature would be quite useful. I just want to restrict the token ttl and/or use count for tokens generated via the ldap auth backend. It would not matter what the user or group configuration in LDAP is, just saying you have to re-auth after x times or n uses. Otherwise a user could get access for 32 days by default (_unless you change that_) and their credentials in LDAP could expire well before then.

I found how to set the TTL for LDAP and thought it would be useful for anyone else landing here:

vault mount-tune -default-lease-ttl=9h -max-lease-ttl=24h auth/ldap

the same but for the new cli format

vault auth tune -max-lease-ttl=24h ldap