Testing the LDAP Authentication and Access Policies
Now that Vault is configured to use the LDAP server for authentication, you will test that it works in this Lab Step. You will also confirm that the group to policy mappings give the correct access to the two users in the organization. The LDAP structure is included below for your convenience:
1. Authenticate using LDAP with the common name Jeremy Cook and enter the Password sheep when prompted:
Copy codevault login -method=ldap username='Jeremy Cook'
The ldap auth method uses a
username and password for authentication. The output displays Key-Value pairs for the token of the authenticated user. Observe that the token_policies pair includes engineering, which confirms the mapping from LDAP groups to Vault policies is working. The Vault CLI will automatically issue commands on behalf of the last authenticated user by using the token. You do not need to issue any additional commands
2. List the capabilities of the authenticated user at
Copy codevault token capabilities secret/data/Engineering
These capabilities correspond to the ones granted by the engineering policy.
3. List the capabilities of the authenticated user at
Copy codevault token capabilities secret/data/Research
None of the policies attached to the token grant any access to
secret/data/Research. Vault denies access to any path by default so the result is to deny.
4. Read the secrets stored at
Copy codevault kv get secret/Engineering
The two secrets are displayed at the bottom of the output. Recall that version 2 of the key-value storage engine uses versioning. To gain access to the secret at
secret/Engineering, you actually needed permission to read
5. Attempt to read the secrets stored at
Copy codevault kv get secret/Research
The request fails with a permission denied error. The output also shows that the request is sent to the secret/data/Research path.
6. Repeat the previous commands but authenticate with
username='Logan Rakai' and password wolf.
Confirm the access controls match your expectations.
In this Lab Step, you tested the Vault LDAP configuration by authenticating and accessing secrets using LDAP users. By leveraging identities in LDAP, you do not need to duplicate any usernames and passwords in Vault. You can configure appropriate policies, and start using Vault with minimal overhead.
If you have time remaining in your Lab Session, try creating a policy and attaching it to a specific user instead of a group. To gain the required permissions, you will need to authenticate using the Root Token given in the yellow section of the Vault server output with the command:
Copy codevault login <Root_Token>
Hint: LDAP user to policy mappings are written to paths in