diff --git a/README.md b/README.md index d2c9cab..75ec742 100644 --- a/README.md +++ b/README.md @@ -591,6 +591,7 @@ folder for help with: - [Grafana](example_configs/grafana_ldap_config.toml) - [Grocy](example_configs/grocy.md) - [Harbor](example_configs/harbor.md) +- [HashiCorp Vault](example_configs/hashicorp-vault.md) - [Hedgedoc](example_configs/hedgedoc.md) - [Home Assistant](example_configs/home-assistant.md) - [Jellyfin](example_configs/jellyfin.md) diff --git a/example_configs/hashicorp-vault.md b/example_configs/hashicorp-vault.md new file mode 100644 index 0000000..c3ca774 --- /dev/null +++ b/example_configs/hashicorp-vault.md @@ -0,0 +1,77 @@ +# Configuration for HashiCorp Vault + +Official LDAP configuration documentation is located [here](https://developer.hashicorp.com/vault/docs/auth/ldap). + +**You'll need to authenticate using your root token or as a user who has permission to modify authentication methods!** + +## User Interface + +1. Navigate to `Access -> Authentication Methods` +2. Click `Enable new method +` in the top right and choose `LDAP` under `Infra` +3. Name the path whatever you want (preferably keep it default) and click `Enable method` at the bottom + +* URL: `ldap://lldap.example.com:3890` or `ldaps://lldap.example.com:6360` +* LDAP Options + * If you're using LDAPS and your server does not have your LDAPS certificate installed check `Insecure TLS` otherwise leave this unchecked + * User Attribute: `uid` + * User Principal (UPN) Domain: **LEAVE THIS BLANK** +* Customize User Search + * Name of Object to bind (binddn): `cn=admin,ou=people,dc=example,dc=com` + * User DN: `ou=people,dc=example,dc=com` + * Bindpass: `ChangeMe!` + * User Search Filter: `(&(uid={{.Username}})(objectClass=person))` +* Customize Group Member Search + * Group Filter: `(&(member={{.UserDN}})(objectclass=groupOfUniqueNames))` + * Group Attribute: `cn` + * Group DN: `ou=groups,dc=example,dc=com` + +4. Click `Save` at the bottom +5. Click into the auth menthod and then `Create group +` under the `Groups` tab +6. Set the name as the group you want users to have to authenticate to HashiCorp Vault +7. Set policy as `default` or whatever policy you want to tie to this group +8. Click `Save` at the bottom + +As long as your user is in the group you specified, you should now be able to select `LDAP` from the dropdown on the login page and use your credentials. + +## CLI + +**This requires the vault CLI to be installed on your machine** + +1. Set VAULT_ADDR environment variable + + ```bash + export VAULT_ADDR=https://vault.example.com + ``` +2. Login to vault and provide token when prompted + + ```bash + vault login + ```` +3. Enable the LDAP authentication method + + ```bash + vault auth enable ldap + ``` +4. Configure the LDAP authentication method + + ```bash + vault write auth/ldap/config \ + url="ldaps://lldaps.example.com:6360" \ + binddn="cn=admin,ou=people,dc=example,dc=com" \ + bindpass="ChangeMe!" \ + userdn="ou=people,dc=example,dc=com" \ + userfilter="(&(uid={{.Username}})(objectClass=person))" \ + groupdn="ou=groups,dc=example,dc=com" \ + groupfilter="(&(member={{.UserDN}})(objectclass=groupOfUniqueNames))" \ + userattr="uid" \ + groupattr="cn" \ + discoverdn=false + ``` + If you are using plain LDAP, change the URL accordingly. If you're using LDAPS and your server does not have your LDAPS certificate installed append `insecure_tls=true` to the bottom of the command. +5. Add your group to the LDAP configuration and set the policy + + ```bash + vault write auth/ldap/groups/vault_users policies=default + ``` + +As long as your user is in the group you specified, you should now be able to select `LDAP` from the dropdown on the login page and use your credentials. \ No newline at end of file