gandc/lldap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
lldap/example_configs/hashicorp-vault.md
Dakota G 1f26262e13
example_configs: add Hashicorp
2024-12-10 07:34:50 +01:00

77 lines
3.0 KiB
Markdown
Raw Permalink Blame History

# Configuration for HashiCorp Vault
Official LDAP configuration documentation is located [here](https://developer.hashicorp.com/vault/docs/auth/ldap).
**You'll need to authenticate using your root token or as a user who has permission to modify authentication methods!**
## User Interface
1. Navigate to `Access -> Authentication Methods`
2. Click `Enable new method +` in the top right and choose `LDAP` under `Infra`
3. Name the path whatever you want (preferably keep it default) and click `Enable method` at the bottom
* URL: `ldap://lldap.example.com:3890` or `ldaps://lldap.example.com:6360`
* LDAP Options
* If you're using LDAPS and your server does not have your LDAPS certificate installed check `Insecure TLS` otherwise leave this unchecked
* User Attribute: `uid`
* User Principal (UPN) Domain: **LEAVE THIS BLANK**
* Customize User Search
* Name of Object to bind (binddn): `cn=admin,ou=people,dc=example,dc=com`
* User DN: `ou=people,dc=example,dc=com`
* Bindpass: `ChangeMe!`
* User Search Filter: `(&(uid={{.Username}})(objectClass=person))`
* Customize Group Member Search
* Group Filter: `(&(member={{.UserDN}})(objectclass=groupOfUniqueNames))`
* Group Attribute: `cn`
* Group DN: `ou=groups,dc=example,dc=com`
4. Click `Save` at the bottom
5. Click into the auth menthod and then `Create group +` under the `Groups` tab
6. Set the name as the group you want users to have to authenticate to HashiCorp Vault
7. Set policy as `default` or whatever policy you want to tie to this group
8. Click `Save` at the bottom
As long as your user is in the group you specified, you should now be able to select `LDAP` from the dropdown on the login page and use your credentials.
## CLI
**This requires the vault CLI to be installed on your machine**
1. Set VAULT_ADDR environment variable
```bash
export VAULT_ADDR=https://vault.example.com
```
2. Login to vault and provide token when prompted
```bash
vault login
````
3. Enable the LDAP authentication method
```bash
vault auth enable ldap
```
4. Configure the LDAP authentication method
```bash
vault write auth/ldap/config \
url="ldaps://lldaps.example.com:6360" \
binddn="cn=admin,ou=people,dc=example,dc=com" \
bindpass="ChangeMe!" \
userdn="ou=people,dc=example,dc=com" \
userfilter="(&(uid={{.Username}})(objectClass=person))" \
groupdn="ou=groups,dc=example,dc=com" \
groupfilter="(&(member={{.UserDN}})(objectclass=groupOfUniqueNames))" \
userattr="uid" \
groupattr="cn" \
discoverdn=false
```
If you are using plain LDAP, change the URL accordingly. If you're using LDAPS and your server does not have your LDAPS certificate installed append `insecure_tls=true` to the bottom of the command.
5. Add your group to the LDAP configuration and set the policy
```bash
vault write auth/ldap/groups/vault_users policies=default
```
As long as your user is in the group you specified, you should now be able to select `LDAP` from the dropdown on the login page and use your credentials.
Reference in New Issue View Git Blame Copy Permalink