auth-methods create
Command: boundary auth-methods create
The auth-methods create
command lets you create Boundary auth
method resources. The available auth method types are: LDAP, OIDC, and password.
Examples
The following example creates an OIDC auth method by passing the OIDC provider's domain (-issuer
), client ID, and client secret:
Example output:
Usage
Command options:
-description
(string: "")
- The description to set on the auth method.-name
(string: "")
- The name to set on the auth method.-scope-id
(string: "")
- The scope in which to make the request. The default isglobal
. You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable.
CLI options
In addition to the command specific options, there are options common to all CLI commands and subcommands:
Usages by type
The available types are: ldap
, oidc
, and password
.
The boundary auth-methods create ldap
command creates an LDAP auth method.
Example
The following example creates an LDAP auth method with the name prodops
and the description LDAP auth-method for ProdOps
:
Usage
LDAP auth method options
The following are LDAP-specific options in addition to the command options:
-anon-group-search
- Uses anon bind when performing LDAP group searches (optional). The default isfalse
.-bind-dn
(string: "")
- Uses the distinguished name of entry to bind when performing user and group searches (optional).-bind-password
(string: "")
- Indicates the password to use along with bind-dn performing user and group searches (optional).-certificate
(string: "")
- Specifies a PEM-encoded X.509 CA certificate in ASN.1 DER form that can be used as a trust anchor when connecting to an LDAP server(optional). You can specify this value multiple times.-client-certificate
(string: "")
- Specifies a PEM-encoded X.509 client certificate in ASN.1 DER form that can be used to authenticate against an LDAP server (optional).-client-certificate-key
(string: "")
- Specifies a PEM-encoded X.509 client certificate key in PKCS #8, ASN.1 DER form used with the client certificate (optional).-discover-dn
- Uses anon bind to discover the bind DN of a user (optional). The default value isfalse
.-enable-groups
- Finds the authenticated user's groups during authentication (optional). The default isfalse
.-group-attr
(string: "")
- Indicates the attribute that enumerates a user's group membership from entries returned by a group search (optional).-group-dn
(string: "")
- Specifies the base DN under which to perform group search.-group-filter
(string: "")
- Indicates a go template used to construct a LDAP group search filter (optional).-insecure-tls
- Skips the LDAP server SSL certificate validation (optional). Use this option with caution; it is insecure. The default value isfalse
.-start-tls
- Issues the StartTLS command after connecting (optional). The default value isfalse
.-state
(string: "")
- Indicates the desired operational state of the auth method.-upn-domain
(string: "")
- Specifies the userPrincipalDomain used to construct the UPN string for the authenticating user (optional).-urls
(string: "")
- Indicates the LDAP URLs that specify LDAP servers to connect to (required). You can specify this value multiple times.-use-token-groups
- Uses the Active Directory tokenGroups constructed attribute of the user to find the group memberships (optional). The default value isfalse
.-user-attr
(string: "")
- Specifies the attribute on user entry that matches the username that is passed during authentication (optional).-user-dn
(string: "")
- Indicates the base DN under which to perform user search (optional).-user-filter
(string: "")
- Specifies a go template used to construct a LDAP user search filter (optional).