This article is to help layout the minimum Active Directory (AD) policy requirements for Vault to use the AD secrets engine. In this guide changes will need to be made to both Active Directory and Password Policies in Vault.
The AD secrets engine is a plugin which has two main features.
The first feature (password rotation) is where the AD secrets engine rotates AD passwords dynamically. This is designed for a high-load environment where many instances may be accessing a shared password simultaneously. With a simple set up and a simple creds API, it doesn't require instances to be manually registered in advance to gain access. As long as access has been granted to the creds path via a method like AppRole, they're available. Passwords are lazily rotated based on preset TTLs and can have a length configured to meet your needs.
The second feature (service account check-out) is where a library of service accounts can be checked out by a person or by machines. Vault will automatically rotate the password each time a service account is checked in. Service accounts can be voluntarily checked in, or Vault will check them in when their lending period (or, "ttl", in Vault's language) ends.
As described in this Microsoft document, LDAP password changes are only allowed over TLS connections, therefore a certificate must be configured and exported to Vault. Thought not advised in a production environment, you can disable TLS for testing.
The password policies need to be set because Vault has very specific password requirements that are well beyond typical default domain requirements.
- Create and configure a Vault service account in AD with the following permissions enabled:
- Change password (general permissions)
- Reset password (general permissions)
- Read userAccountControl (property-specific permissions)
- Write userAccountControl (property-specific permissions)
- Password Policy Requirements
- Must contain at least 1 lowercase letter
- Must contain at least 1 uppercase letter
- Must contain at least 1 number
- Must contain at least 1 special character
- Cannot be one of the last 24 passwords used
- Must be between 14 and 64 characters
- Configure Vault
Running from a Vault client with TLS enabled and a copy of the certificate mentioned above. NOTE: Ensure the host file is updated to point to the ROOT-DOMAIN at the Windows Server IP address.
vault secrets enable ad
# Example userdn if your users are in the default "Users" folder:
vault write ad/config binddn=$USERNAME bindpass=$PASSWORD url=ldaps://YOUR-AD-ROOT-DOMAIN-HERE userdn="SEE-EXAMPLE-ABOVE" certificate=@PATH-TO-CERTIFICATE
vault write ad/roles/ROLE-NAME service_account_name="USER-NAME@YOUR-AD-ROOT-DOMAIN"
vault read ad/creds/ROLE-NAME
# On the first execution, previous password won't be shown.