Active Directory Secrets Engine Setup

Avatar
Gabe Knell
  • Updated

Introduction

This guide outlines the minimum Active Directory (AD) policy requirements for using Vault's AD secrets engine, including necessary changes to both Active Directory and Vault password policies. 

The AD secrets engine is a plugin which has two main features:

  1. The first feature (password rotation) is where the AD secrets engine rotates AD passwords dynamically. This is designed for a high-load environment where many instances may be accessing a shared password simultaneously. With a simple set up and a simple creds API, it doesn't require instances to be manually registered in advance to gain access. As long as access has been granted to the credentials(`creds`) path via a method like AppRole, they're available. Passwords are lazily rotated based on preset TTLs and can have a length configured to meet your needs.
  2. The second feature (service account check-out) is where a library of service accounts can be checked out by a person or by machines. Vault secures service accounts using a check-out/check-in mechanism, where passwords are rotated automatically when an account is checked in. Service accounts can be voluntarily checked in, or Vault will check them in when their lending period (or, "ttl", in Vault's language) ends.

According to Microsoft guidelines, LDAP password changes are only allowed over TLS connections, therefore a certificate must be configured and exported to Vault. Though not advised in a production environment, you can disable TLS for testing.

The password policies need to be set because Vault requires specific password policies that often exceed the default domain requirements.

 

Procedure

1. Create and Configure a Vault Service Account in Active Directory (AD)

In Active Directory (AD), create a dedicated service account for Vault. Ensure that the following permissions are enabled for this account:

General Permissions:

  • Change password
  • Reset password

Property-Specific Permissions:

  • Read userAccountControl
  • Write userAccountControl

2. Password Policy Requirements

Ensure that the AD password policy and Vault password policy adhere to the following requirements:

  • Must contain at least 1 lowercase letter
  • Must contain at least 1 uppercase letter
  • Must contain at least 1 number
  • Must contain at least 1 special character
  • Cannot be one of the last 24 passwords used
  • Must be between 14 and 64 characters in length

3. Configure Vault

Prerequisites:
Before proceeding, ensure that you have the following in place:

  • A Vault client with TLS enabled.
  • A valid TLS certificate configured in Vault for LDAPS communication.
  • The host file updated to point to the ROOT-DOMAIN and corresponding Windows Server IP address.

Steps:

  1. Enable the Active Directory (AD) secrets engine in Vault:
    vault secrets enable ad
  2. Export your Vault AD service account credentials as environment variables:
    export USERNAME=YOUR-VAULT-USERNAME-IN-AD@YOUR-AD-ROOT-DOMAIN 

    export PASSWORD=YOUR-VAULT-USER-IN-AD-PASSWORD
  3. Configure the AD secrets engine in Vault: 
    vault write ad/config \ 
    binddn=$USERNAME \ 
    bindpass=$PASSWORD \ 
    url=ldaps://YOUR-AD-ROOT-DOMAIN-HERE \ 
    userdn="CN=Users,DC=example,DC=net" \ 
    certificate=@PATH-TO-CERTIFICATE
  4. Create a role in the AD secrets engine to map Vault roles to AD service accounts: 
    vault write ad/roles/ROLE-NAME \ 
    service_account_name="USER-NAME@YOUR-AD-ROOT-DOMAIN"
  5. Retrieve credentials for the specified role:
     
    vault read ad/creds/ROLE-NAME

Additional Information

Articles in this section

See more

Related articles