Codiwan.com

The blog for Design Patterns, Linux, HA and Myself!

Using Vault with LDAP Login/Auth and Policy Authorization

Using Hashicorp Vault with LDAP(OpenLDAP) based Login/Auth and Policy Authorization

This document presents the configuration steps for LDAP based authentication for Hashicorp Vault. It assumes that the LDAP, OpenLDAP in this case, server and the Hashicorp Vault server is up and running. You can navigate to the following documents if your OpenLDAP or Hashicorp Vault setup and configuration is pending:

Login to the Vault server and enable the LDAP authentication:

$ vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.4UQZHg5MY4l7ongNcDlmqa2g
token_accessor       mvjgxApALws8U4cYmkRBOay7
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

The user should’ve the permissions to enable the LDAP based authentication. I’ve used Root token for Login.

$ vault auth enable ldap
$ vault write auth/ldap/config \
    url="ldaps://192.168.56.102:3388" \
    userdn="dc=codiwan,dc=com" \
    userattr="uid" \
    groupdn="ou=Groups,dc=codiwan,dc=com" \
    groupfilter="(|(memberUid={{.Username}})(member={{.UserDN}}))" \
    groupattr="cn" \
    binddn="cn=ldapadmin,dc=codiwan,dc=com" \
    bindpass='qqq' \
    certificate=@ldap_ca_cert.crt \
    insecure_tls=false

The parameters passed to the write API are:

No. Name Value Description
1. URL “ldaps://192.168.56.102:3388” This is the URL on which I’ve hosted the OpenLDAP(LDAP) server. Since the TLS encryption is set, I’ve used ldaps. The CA certificate is passed using the certificate parameter.
2. userdn “dc=codiwan,dc=com” This is the baseDN from which the search will begin.
3. userattr “uid” The name of the attribute that will contain the username. An example user’s DN from this setup is: uid=alice,ou=People,dc=codiwan,dc=com. uid contains the username. We’ll have to pass the alice to Vault for authentication.
4. groupdn “ou=Groups,dc=codiwan,dc=com” This is the baseDN from which the group search will begin. Vault makes an LDAP search for finding the loggedin user’s group.
5. groupattr “cn” The name of the attribute that will contain the group name. An example user’s DN from this setup is: cn=codiwanadmin,ou=Groups,dc=codiwan,dc=com. cn contains the group name.
6. binddn “cn=ldapadmin,dc=codiwan,dc=com” Credential that the Vault will use for authentication
7. bindpass “qqq” Password for the binddn user
8. certificate “@ldap_ca_cert.crt” Path to the LDAP server’s CA Certificate
9. insecure_tls “false” To enable TLS verification

Assign policies to the LDAP groups:

$ vault write auth/ldap/groups/codiwanadmin policies=admin
Success! Data written to: auth/ldap/groups/codiwanadmin
$ vault write auth/ldap/groups/codiwangeneral policies=nonadmin
Success! Data written to: auth/ldap/groups/policies

Here we’re assigning admin policy to the users from the group codiwanadmin and nonadmin policy to the users from the codiwangeneral group. These policies were created in the Vault Installation, Userpass, KV Secrets and Policy Authorization document.

Log in using the Alice user:

$ vault login -method=ldap username=alice
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.XebKjVJYP0FlM5RQv1nOQw5a
token_accessor         6UGLAkOJVTPysaV6anEkHp9B
token_duration         768h
token_renewable        true
token_policies         ["admin" "default"]
identity_policies      []
policies               ["admin" "default"]
token_meta_username    adm

The policies contain the admin policy that we’ve assigned to the users from the codiwanadmin LDAP group. If we login using the bob user’s credentials, then:

$ vault login -method=ldap username=bob
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.fWr3BCvh7WnK7gijLQfBkyEO
token_accessor         QC5rX6rW7MzSAmDjMKupPjXD
token_duration         768h
token_renewable        true
token_policies         ["default" "nonadmin"]
identity_policies      []
policies               ["default" "nonadmin"]
token_meta_username    user1

Bob’s token has been mapped with the nonadmin policies.

Loading Comments... Disqus Loader
comments powered by Disqus