Skip to content

set deny_null_bind default to true #2622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Nov 14, 2025
+87 −2
Merged

set deny_null_bind default to true #2622

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2135413
set deny_null_bind default to true
aahel Oct 8, 2025
dec2495
fix setting default
aahel Oct 8, 2025
9b2f142
fixed dault value
aahel Oct 8, 2025
814d025
removed stale changes
aahel Oct 8, 2025
4628b3e
Merge branch 'main' into fix/ldap-auth
aahel Oct 16, 2025
a9a01b5
minor fix
aahel Oct 16, 2025
ef0b947
Merge branch 'main' into fix/ldap-auth
harshit-nema Oct 31, 2025
6dc4413
Merge branch 'main' into fix/ldap-auth
aahel Nov 14, 2025
2dfb54a
added changelog
aahel Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
## Unreleased

CHANGES:

* `vault_ldap_auth_backend`: Set `deny_null_bind` to `true` by default if not provided in configuration ([#2622](https://github.com/hashicorp/terraform-provider-vault/pull/2622))

## 5.4.0 (Nov 3, 2025)

BEHAVIOR CHANGES: Please refer to the [upgrade topics](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/version_5_upgrade.html#upgrade-topics)
Expand Down
17 changes: 15 additions & 2 deletions vault/resource_ldap_auth_backend.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,8 +247,21 @@ func ldapAuthBackendResource() *schema.Resource {
Importer: &schema.ResourceImporter{
StateContext: schema.ImportStatePassthroughContext,
},
CustomizeDiff: getMountCustomizeDiffFunc(consts.FieldPath),
Schema: fields,
CustomizeDiff: schema.CustomizeDiffFunc(func(ctx context.Context, diff *schema.ResourceDiff, meta interface{}) error {
// Handle deny_null_bind default behavior
rawConfig := diff.GetRawConfig()
configValue := rawConfig.GetAttr(consts.FieldDenyNullBind)
if configValue.IsNull() {
// Field not set in config, ensure it defaults to true
if err := diff.SetNew(consts.FieldDenyNullBind, true); err != nil {
return err
}
}

// Apply mount customization
return getMountCustomizeDiffFunc(consts.FieldPath)(ctx, diff, meta)
}),
Schema: fields,
}, true)

// add automated rotation fields to the resource
Expand Down
68 changes: 68 additions & 0 deletions vault/resource_ldap_auth_backend_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,48 @@ func TestLDAPAuthBackend_tune_conflicts(t *testing.T) {
})
}

func TestLDAPAuthBackend_denyNullBindDefault(t *testing.T) {
t.Parallel()
path := acctest.RandomWithPrefix("tf-test-ldap-deny-null-bind")

resourceName := "vault_ldap_auth_backend.test"
resource.Test(t, resource.TestCase{
PreCheck: func() { testutil.TestAccPreCheck(t) },
ProtoV5ProviderFactories: testAccProtoV5ProviderFactories(context.Background(), t),
CheckDestroy: testLDAPAuthBackendDestroy,
Steps: []resource.TestStep{
{
Config: testLDAPAuthBackendConfig_denyNullBindNotSet(path),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "path", path),
// Verify deny_null_bind defaults to true when not explicitly set
resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "true"),
testLDAPAuthBackendCheck_attrs(resourceName, path),
),
},
{
Config: testLDAPAuthBackendConfig_denyNullBindExplicitFalse(path),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "path", path),
// Verify deny_null_bind can be explicitly set to false
resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "false"),
testLDAPAuthBackendCheck_attrs(resourceName, path),
),
},
{
Config: testLDAPAuthBackendConfig_denyNullBindNotSet(path),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "path", path),
// Verify deny_null_bind returns to default true when removed from config
resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "true"),
testLDAPAuthBackendCheck_attrs(resourceName, path),
),
},
testutil.GetImportTestStep(resourceName, false, nil, "bindpass", "disable_remount"),
},
})
}

func testLDAPAuthBackendDestroy(s *terraform.State) error {
for _, rs := range s.RootModule().Resources {
if rs.Type != "vault_ldap_auth_backend" {
Expand Down Expand Up @@ -726,3 +768,29 @@ resource "vault_ldap_auth_backend" "test" {
}
`, path)
}

func testLDAPAuthBackendConfig_denyNullBindNotSet(path string) string {
return fmt.Sprintf(`
resource "vault_ldap_auth_backend" "test" {
path = "%s"
url = "ldaps://example.org"
binddn = "cn=example.com"
bindpass = "supersecurepassword"
description = "Test LDAP auth backend for deny_null_bind behavior"
# deny_null_bind is intentionally not set to test default behavior
}
`, path)
}

func testLDAPAuthBackendConfig_denyNullBindExplicitFalse(path string) string {
return fmt.Sprintf(`
resource "vault_ldap_auth_backend" "test" {
path = "%s"
url = "ldaps://example.org"
binddn = "cn=example.com"
bindpass = "supersecurepassword"
description = "Test LDAP auth backend for deny_null_bind behavior"
deny_null_bind = false
}
`, path)
}