Introduction
Integrating Vault's LDAP authentication method with an LDAP server offers a robust solution for managing user access and enforcing security policies. This knowledge article delves into the steps required to configure Vault to authenticate users via an LDAP server and subsequently utilize Vault's external group feature for policy inheritance, the external group mechanism in Vault allows for dynamic policy assignment, ensuring that users inherit appropriate permissions based on their LDAP group memberships.
LDAP groups structure and configuration
The LDAP group structure includes two groups and two users. The "prod" group is designated as a parent group for production-related users and includes two members, Tom and Jerry. The other group, "admin," is a separate group that includes only one member, Tom. Tom is a member of both LDAP groups.
Provision an OpenLDAP docker image provided by osixia/OpenLDAP.
$ docker run -p 389:389 --detach osixia/openldap
Grep the LDAP container ID.
$ docker ps | grep ldap
482ae2f4ed4f osixia/openldap ...
Start an interactive shell session with this Docker container with the container ID.
$ docker exec -it 482ae2f4ed4f /bin/bash
Draft LDAP server definition file ldap_group.ldif.
root@482ae2f4ed4f:/# printf "%s" """\
dn: ou=groups,dc=example,dc=org
objectClass: organizationalunit
objectClass: top
ou: groups
description: groups of users
dn: ou=users,dc=example,dc=org
objectClass: organizationalunit
objectClass: top
ou: users
description: users
dn: cn=prod,ou=groups,dc=example,dc=org
objectClass: groupofnames
objectClass: top
description: parent group prod
cn: prod
member: cn=tom,ou=users,dc=example,dc=org
member: cn=jerry,ou=users,dc=example,dc=org
dn: cn=admin,ou=groups,dc=example,dc=org
objectClass: groupofnames
objectClass: top
description: parent group admin
cn: admin
member: cn=tom,ou=users,dc=example,dc=org
dn: cn=tom,ou=users,dc=example,dc=org
objectClass: person
objectClass: top
cn: tom
sn: tom
memberOf: cn=prod,ou=groups,dc=example,dc=org
memberOf: cn=admin,ou=groups,dc=example,dc=org
userPassword: test
dn: cn=jerry,ou=users,dc=example,dc=org
objectClass: person
objectClass: top
cn: jerry
sn: jerry
memberOf: cn=prod,ou=groups,dc=example,dc=org
userPassword: test
""" > ldap_group.ldif
Add entries to LDAP directory and enter admin password "admin".
root@482ae2f4ed4f:/#ldapadd -x -W -D "cn=admin,dc=example,dc=org" -f ldap_group.ldif
Enter LDAP Password:
adding new entry "ou=groups,dc=example,dc=org"
adding new entry "ou=users,dc=example,dc=org"
adding new entry "cn=prod,ou=groups,dc=example,dc=org"
adding new entry "cn=admin,ou=groups,dc=example,dc=org"
adding new entry "cn=jerry,ou=users,dc=example,dc=org"
Vault configuration
Enable Vault LDAP auth method and configure the connection.
$ vault auth enable ldap
$ vault write auth/ldap/config url="ldap://192.168.4.29:389" \
bindpass="admin" \
starttls=false \
userdn="ou=users,dc=example,dc=org" \
groupdn="ou=groups,dc=example,dc=org" \
binddn="cn=admin,dc=example,dc=org"
Skip the part of creating Vault policies of main-prod and main-admin, please refer to Vault policies for more information.
Create a external group named prod, attach external group with policy main-prod.
$ vault write identity/group name=prod type=external mount_accessor=auth_ldap_6e5fed43 policies=main-prod
Key Value
--- -----
id 89469624-1c0b-8ad1-e824-5486a12a7f56
name prod
Create a external group alias named prod.
$ vault write identity/group-alias name=prod mount_accessor=auth_ldap_6e5fed43 canonical_id=89469624-1c0b-8ad1-e824-5486a12a7f56
Key Value
--- -----
canonical_id 89469624-1c0b-8ad1-e824-5486a12a7f56
id 333a4eee-fb50-182a-7db2-ee60db4e3cfb
Create an external group named admin, attach external group with policies policies=main-admin.
$ vault write identity/group name=admin type=external mount_accessor=auth_ldap_6e5fed43 policies=main-admin
Key Value
--- -----
id fee7147c-8881-41a8-065e-198a7fa48539
name admin
Create the external group alias named admin.
$ vault write identity/group-alias name=admin mount_accessor=auth_ldap_6e5fed43 canonical_id=fee7147c-8881-41a8-065e-198a7fa48539
Key Value
--- -----
canonical_id fee7147c-8881-41a8-065e-198a7fa48539
id 6d108269-020c-f664-9770-29f246ea7f40
Vault LDAP login follow external group policy mapping
Login as tom, which is both member of LDAP admin group and prod group.
$ vault login -method=ldap username=tom
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIDxnn2XVuAb3xDrLjxDRzTHuFxnlQZeDBCXw4eSGQoI0GiEKHGh2cy5RNjk1MWFZNTNUQkJTODQwRjdzS3QwRFAQuQE
token_accessor s82wDjV61yrmzPpMDgspuOvG
token_duration 768h
token_renewable true
token_policies ["default"]
identity_policies ["main-admin" "main-prod"]
policies ["default" "main-admin" "main-prod"]
Login as jerry, which is the member of LDAP prod group.
$ vault login -method=ldap username=jerry
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIFRXC7wzBeHTysYP6M2pUDaQ6L-osO5TWla3gmUjQpg_GiEKHGh2cy4wcGVHcWJyemZLNkhyQW5qOHRDWDNQM2UQvgE
token_accessor DK0FT1JJHr9enrTUZ7Elo4MN
token_duration 768h
token_renewable true
token_policies ["default"]
identity_policies ["main-prod"]
policies ["default" "main-prod"]
token_meta_username jerry