Configuring Vault LDAP Authentication

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Opening the AWS Cloud9 IDE
lock
Installing HashiCorp Vault
lock
Starting the Vault Sever in Development Mode
lock
Understanding the LDAP Directory
lock
Creating Vault Policies for the Organization
lock
Configuring Vault LDAP Authentication
lock
Testing the LDAP Authentication and Access Policies
lock
Validate AWS Lab
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

Vault allows you to use an existing LDAP server to authenticate users with user/password credentials. Vault can seamlessly integrate into existing organization structures by configuring the LDAP authentication method. The mapping of groups and users in LDAP to Vault policies is managed by using the users/ and groups/ paths.

In this Lab Step, you will configure the Vault server to enable the LDAP authentication method, and assign policies to respective groups in the organization. The LDAP organization directory structure is repeated below for your convenience:

alt

There are a wide variety of LDAP configurations supported by Vault. The configuration in this Lab Step is specific to the LDAP server in the Lab. The full range of configuration parameters is available in the Vault documentation.

 

Instructions

1. Enable LDAP authentication by entering:

Copy code
vault auth enable ldap

alt

Although the output displays the path for LDAP as ldap/, all authentication method paths begin with auth/. The full path for ldap is, therefore, auth/ldap/.

 

2. List the available authentication methods to confirm LDAP is enabled:

Copy code
vault auth list

alt

 

3. Write the following LDAP configuration:

Copy code
vault write auth/ldap/config \
    url="ldap://ldap.ca-lab.private" \
    userattr="cn" \
    userdn="ou=Users,dc=ca-lab,dc=private" \
groupdn="ou=Users,dc=ca-lab,dc=private" \
groupfilter="(&(objectClass=groupOfNames)(member={{.UserDN}}))" \
groupattr="cn"

alt

The config attributes have the following meanings:

  • url: The LDAP server URL
  • userattr: The attribute of LDAP user entries that contains the username for authentication. cn is the common name, as shown in the LDAP tree diagram
  • userdn: The base distinguished name to perform searches for users
  • groupdn: The base distinguished name to perform searches for groups. Groups are included in the Users organization unit and are of the class groupOfNames
  • groupfilter: An LDAP search filter that describes how to search for group membership. The filter matches entries with an objectClass of groupOfNames and with the member attribute matching the distinguished name of the authenticating user (UserDN)
  • groupattr: The attribute of group entries to use for identifying the group

This configuration matches the LDAP schema, which specifies group membership by listing users in each group entry. Vault can also support schemas where the user entries list the groups they are members of.

 

4. Map the policies for each group by writing to auth/ldap/groups/:

Copy code
vault write auth/ldap/groups/Engineering policies=Engineering
vault write auth/ldap/groups/Research policies=Research

alt

You can associate multiple policies to an LDAP group by including a comma-separated list of policies.

 

Summary

In this Lab Step, you configured Vault to used LDAP authentication, and mapped a policy for each group in the organization's LDAP directory.