Using Vault with LDAP Login/Auth and Policy Authorization
Using Hashicorp Vault with LDAP(OpenLDAP) based Login/Auth and Policy Authorization
This document presents the configuration steps for LDAP based authentication for Hashicorp Vault. It assumes that the LDAP, OpenLDAP in this case, server and the Hashicorp Vault server is up and running. You can navigate to the following documents if your OpenLDAP or Hashicorp Vault setup and configuration is pending:
- OpenLDAP(LDAP) Installation and Tutorial on Ubuntu
- Vault Installation, Userpass, KV Secrets and Policy Authorization.
Login to the Vault server and enable the LDAP authentication:
$ vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.4UQZHg5MY4l7ongNcDlmqa2g
token_accessor mvjgxApALws8U4cYmkRBOay7
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
The user should’ve the permissions to enable the LDAP based authentication. I’ve used Root token for Login.
$ vault auth enable ldap
$ vault write auth/ldap/config \
url="ldaps://192.168.56.102:3388" \
userdn="dc=codiwan,dc=com" \
userattr="uid" \
groupdn="ou=Groups,dc=codiwan,dc=com" \
groupfilter="(|(memberUid={{.Username}})(member={{.UserDN}}))" \
groupattr="cn" \
binddn="cn=ldapadmin,dc=codiwan,dc=com" \
bindpass='qqq' \
certificate=@ldap_ca_cert.crt \
insecure_tls=false
The parameters passed to the write API are:
| No. | Name | Value | Description |
|---|---|---|---|
| 1. | URL | “ldaps://192.168.56.102:3388” | This is the URL on which I’ve hosted the OpenLDAP(LDAP) server. Since the TLS encryption is set, I’ve used ldaps. The CA certificate is passed using the certificate parameter. |
| 2. | userdn | “dc=codiwan,dc=com” | This is the baseDN from which the search will begin. |
| 3. | userattr | “uid” | The name of the attribute that will contain the username. An example user’s DN from this setup is: uid=alice,ou=People,dc=codiwan,dc=com. uid contains the username. We’ll have to pass the alice to Vault for authentication. |
| 4. | groupdn | “ou=Groups,dc=codiwan,dc=com” | This is the baseDN from which the group search will begin. Vault makes an LDAP search for finding the loggedin user’s group. |
| 5. | groupattr | “cn” | The name of the attribute that will contain the group name. An example user’s DN from this setup is: cn=codiwanadmin,ou=Groups,dc=codiwan,dc=com. cn contains the group name. |
| 6. | binddn | “cn=ldapadmin,dc=codiwan,dc=com” | Credential that the Vault will use for authentication |
| 7. | bindpass | “qqq” | Password for the binddn user |
| 8. | certificate | “@ldap_ca_cert.crt” | Path to the LDAP server’s CA Certificate |
| 9. | insecure_tls | “false” | To enable TLS verification |
Assign policies to the LDAP groups:
$ vault write auth/ldap/groups/codiwanadmin policies=admin
Success! Data written to: auth/ldap/groups/codiwanadmin
$ vault write auth/ldap/groups/codiwangeneral policies=nonadmin
Success! Data written to: auth/ldap/groups/policies
Here we’re assigning admin policy to the users from the group codiwanadmin and nonadmin policy to the users from
the codiwangeneral group. These policies were created in the Vault Installation, Userpass, KV Secrets and Policy Authorization
document.
Log in using the Alice user:
$ vault login -method=ldap username=alice
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.XebKjVJYP0FlM5RQv1nOQw5a
token_accessor 6UGLAkOJVTPysaV6anEkHp9B
token_duration 768h
token_renewable true
token_policies ["admin" "default"]
identity_policies []
policies ["admin" "default"]
token_meta_username adm
The policies contain the admin policy that we’ve assigned to the users from the codiwanadmin LDAP group. If we login
using the bob user’s credentials, then:
$ vault login -method=ldap username=bob
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.fWr3BCvh7WnK7gijLQfBkyEO
token_accessor QC5rX6rW7MzSAmDjMKupPjXD
token_duration 768h
token_renewable true
token_policies ["default" "nonadmin"]
identity_policies []
policies ["default" "nonadmin"]
token_meta_username user1
Bob’s token has been mapped with the nonadmin policies.
