Adds an option to enable sAMAccountname logins when upndomain is set (#…

…29118) * Adds an option to enable sAMAccountname logins when upndomain is set * Adds an option to enable sAMAccountname logins when upndomain is set * Updated changelog entry * Update 29118.txt * Updated cap/ldap version due to needed dependency * Updated cap/ldap version due to needed dependency * Restart CI * Updated LDAP api-docs and docs describing the enable_samaccountname_login option * Added missing comma in config_test.go * Update enables_samaccountname Co-authored-by: Sarah Chavis <[email protected]> * Update enable_samaccountname_login feature documentation Co-authored-by: Sarah Chavis <[email protected]> --------- Co-authored-by: Sarah Chavis <[email protected]>
hashicorp · Jan 24, 2025 · 19adf7c · 19adf7c
1 parent 088bb4b
commit 19adf7c
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 27 deletions.
diff --git a/changelog/29118.txt b/changelog/29118.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: Adds an option to enable sAMAccountname logins when upndomain is set. 
+```
diff --git a/sdk/helper/ldaputil/config.go b/sdk/helper/ldaputil/config.go
@@ -256,6 +256,11 @@ Default: ({{.UserAttr}}={{.Username}})`,
 			Description: "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.",
 			Default:     0,
 		},
+		"enable_samaccountname_login": {
+			Type:        framework.TypeBool,
+			Description: "If true, matching sAMAccountName attribute values will be allowed to login when upndomain is defined.",
+			Default:     false,
+		},
 	}
 }
 
@@ -434,6 +439,10 @@ func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry
 		cfg.MaximumPageSize = d.Get("max_page_size").(int)
 	}
 
+	if _, ok := d.Raw["enable_samaccountname_login"]; ok || !hadExisting {
+		cfg.EnableSamaccountnameLogin = d.Get("enable_samaccountname_login").(bool)
+	}
+
 	return cfg, nil
 }
 
@@ -468,9 +477,10 @@ type ConfigEntry struct {
 	// where the tag was being ignored, causing it to be jsonified as "CaseSensitiveNames", etc.
 	// To continue reading in users' previously stored values,
 	// we chose to carry that forward.
-	CaseSensitiveNames *bool  `json:"CaseSensitiveNames,omitempty"`
-	ClientTLSCert      string `json:"ClientTLSCert"`
-	ClientTLSKey       string `json:"ClientTLSKey"`
+	CaseSensitiveNames        *bool  `json:"CaseSensitiveNames,omitempty"`
+	ClientTLSCert             string `json:"ClientTLSCert"`
+	ClientTLSKey              string `json:"ClientTLSKey"`
+	EnableSamaccountnameLogin bool   `json:"EnableSamaccountnameLogin"`
 }
 
 func (c *ConfigEntry) Map() map[string]interface{} {
@@ -481,29 +491,30 @@ func (c *ConfigEntry) Map() map[string]interface{} {
 
 func (c *ConfigEntry) PasswordlessMap() map[string]interface{} {
 	m := map[string]interface{}{
-		"url":                    c.Url,
-		"userdn":                 c.UserDN,
-		"groupdn":                c.GroupDN,
-		"groupfilter":            c.GroupFilter,
-		"groupattr":              c.GroupAttr,
-		"userfilter":             c.UserFilter,
-		"upndomain":              c.UPNDomain,
-		"userattr":               c.UserAttr,
-		"certificate":            c.Certificate,
-		"insecure_tls":           c.InsecureTLS,
-		"starttls":               c.StartTLS,
-		"binddn":                 c.BindDN,
-		"deny_null_bind":         c.DenyNullBind,
-		"discoverdn":             c.DiscoverDN,
-		"tls_min_version":        c.TLSMinVersion,
-		"tls_max_version":        c.TLSMaxVersion,
-		"use_token_groups":       c.UseTokenGroups,
-		"anonymous_group_search": c.AnonymousGroupSearch,
-		"request_timeout":        c.RequestTimeout,
-		"connection_timeout":     c.ConnectionTimeout,
-		"username_as_alias":      c.UsernameAsAlias,
-		"dereference_aliases":    c.DerefAliases,
-		"max_page_size":          c.MaximumPageSize,
+		"url":                         c.Url,
+		"userdn":                      c.UserDN,
+		"groupdn":                     c.GroupDN,
+		"groupfilter":                 c.GroupFilter,
+		"groupattr":                   c.GroupAttr,
+		"userfilter":                  c.UserFilter,
+		"upndomain":                   c.UPNDomain,
+		"userattr":                    c.UserAttr,
+		"certificate":                 c.Certificate,
+		"insecure_tls":                c.InsecureTLS,
+		"starttls":                    c.StartTLS,
+		"binddn":                      c.BindDN,
+		"deny_null_bind":              c.DenyNullBind,
+		"discoverdn":                  c.DiscoverDN,
+		"tls_min_version":             c.TLSMinVersion,
+		"tls_max_version":             c.TLSMaxVersion,
+		"use_token_groups":            c.UseTokenGroups,
+		"anonymous_group_search":      c.AnonymousGroupSearch,
+		"request_timeout":             c.RequestTimeout,
+		"connection_timeout":          c.ConnectionTimeout,
+		"username_as_alias":           c.UsernameAsAlias,
+		"dereference_aliases":         c.DerefAliases,
+		"max_page_size":               c.MaximumPageSize,
+		"enable_samaccountname_login": c.EnableSamaccountnameLogin,
 	}
 	if c.CaseSensitiveNames != nil {
 		m["case_sensitive_names"] = *c.CaseSensitiveNames
@@ -595,6 +606,7 @@ func ConvertConfig(cfg *ConfigEntry) *capldap.ClientConfig {
 		MaximumPageSize:                      cfg.MaximumPageSize,
 		DerefAliases:                         cfg.DerefAliases,
 		DeprecatedVaultPre111GroupCNBehavior: cfg.UsePre111GroupCNBehavior,
+		EnableSamaccountnameLogin:            cfg.EnableSamaccountnameLogin,
 	}
 
 	if cfg.Certificate != "" {

diff --git a/sdk/helper/ldaputil/config_test.go b/sdk/helper/ldaputil/config_test.go
@@ -178,6 +178,7 @@ var jsonConfigDefault = []byte(`
   "max_page_size": 0,
   "CaseSensitiveNames": false,
   "ClientTLSCert": "",
-  "ClientTLSKey": ""
+  "ClientTLSKey": "",
+  "enable_samaccountname_login": false
 }
 `)
diff --git a/website/content/api-docs/auth/ldap.mdx b/website/content/api-docs/auth/ldap.mdx
@@ -105,6 +105,9 @@ This endpoint configures the LDAP auth method.
   paged search control.
 - `use_token_groups` `(bool: true)` - (Optional) Use the Active Directory tokenGroups
   constructed attribute of the user to find the group memberships.
+- `enable_samaccountname_login` `(bool: false)` - (Optional) Lets Active Directory
+  LDAP users log in using `sAMAccountName` or `userPrincipalName` when the
+  `upndomain` parameter is set.
 
 @include 'tokenfields.mdx'
 

diff --git a/website/content/docs/auth/ldap.mdx b/website/content/docs/auth/ldap.mdx
@@ -144,6 +144,9 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m
 #### Binding - user principal name (AD)
 
 - `upndomain` (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind as `[email protected]`.
+- `enable_samaccountname_login` `(bool: false)` - (Optional) Lets Active Directory
+  LDAP users log in using `sAMAccountName` or `userPrincipalName` when the
+  `upndomain` parameter is set.
 
 ### Group membership resolution