2020-02-21 15:55:15 +00:00
|
|
|
---
|
|
|
|
layout: docs
|
|
|
|
page_title: OpenLDAP - Secrets Engine
|
|
|
|
sidebar_title: OpenLDAP
|
|
|
|
description: >-
|
|
|
|
The OpenLDAP secret engine manages OpenLDAP entry passwords.
|
|
|
|
---
|
|
|
|
|
|
|
|
# OpenLDAP Secrets Engine
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
The OpenLDAP secret engine allows management of LDAP entry passwords. At this time
|
2020-02-21 15:55:15 +00:00
|
|
|
only existing LDAP entries are supported by this plugin.
|
|
|
|
|
|
|
|
This plugin currently supports LDAP v3.
|
|
|
|
|
|
|
|
## Quick Setup
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
1. Enable the OpenLDAP secret engine:
|
2020-02-21 15:55:15 +00:00
|
|
|
|
|
|
|
```sh
|
2020-06-02 17:34:01 +00:00
|
|
|
$ vault secrets enable openldap
|
2020-02-21 15:55:15 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
By default, the secrets engine will mount at the name of the engine. To
|
|
|
|
enable the secrets engine at a different path, use the `-path` argument.
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
2. Configure the credentials that Vault uses to communicate with OpenLDAP
|
2020-02-21 15:55:15 +00:00
|
|
|
to generate passwords:
|
|
|
|
|
|
|
|
```sh
|
|
|
|
$ vault write openldap/config \
|
|
|
|
binddn=$USERNAME \
|
|
|
|
bindpass=$PASSWORD \
|
2020-06-02 17:34:01 +00:00
|
|
|
url=ldaps://138.91.247.105
|
2020-02-21 15:55:15 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
Note: it's recommended a dedicated entry management account be created specfically for Vault.
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
3. Rotate the root password so only Vault knows the credentials:
|
2020-02-21 15:55:15 +00:00
|
|
|
|
|
|
|
```sh
|
|
|
|
$ vault write -f openldap/rotate-root
|
|
|
|
```
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
Note: it's not possible to retrieve the generated password once rotated by Vault.
|
2020-02-21 15:55:15 +00:00
|
|
|
It's recommended a dedicated entry management account be created specfically for Vault.
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
3. Configure a static role that maps a name in Vault to an entry in OpenLDAP.
|
2020-02-21 15:55:15 +00:00
|
|
|
Password rotation settings will be managed by this role.
|
|
|
|
|
|
|
|
```sh
|
|
|
|
$ vault write openldap/static-role/hashicorp \
|
|
|
|
dn='uid=hashicorp,ou=users,dc=hashicorp,dc=com' \
|
|
|
|
username='hashicorp' \
|
|
|
|
rotation_period="24h"
|
|
|
|
```
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
4. Request credentials for the "hashicorp" role:
|
|
|
|
|
2020-02-21 15:55:15 +00:00
|
|
|
```sh
|
|
|
|
$ vault read openldap/static-role/hashicorp
|
|
|
|
```
|
|
|
|
|
2020-03-06 22:46:33 +00:00
|
|
|
## Schema
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
The OpenLDAP Secret Engine supports two different schemas: `openldap` (default) and
|
|
|
|
`racf`.
|
2020-03-06 22:46:33 +00:00
|
|
|
|
|
|
|
### OpenLDAP
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
By default the OpenLDAP Secret Engine assumes the entry password is stored in `userPassword`.
|
2020-03-06 22:46:33 +00:00
|
|
|
The following object classes provide `userPassword`:
|
|
|
|
|
|
|
|
* `organization`
|
|
|
|
* `organizationalUnit`
|
|
|
|
* `person`
|
|
|
|
* `posixAccount`
|
|
|
|
|
|
|
|
### Resource Access Control Facility (RACF)
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
For managing IBM's Resource Access Control Facility (RACF) security system, the secret
|
2020-03-06 22:46:33 +00:00
|
|
|
engine must be configured to use the schema `racf`.
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
Generated passwords must be 8 characters or less to support RACF. The length of the
|
|
|
|
password can be configured using a [password policy](/docs/concepts/password-policies):
|
2020-03-06 22:46:33 +00:00
|
|
|
|
|
|
|
```bash
|
|
|
|
vault write openldap/config \
|
|
|
|
binddn=$USERNAME \
|
|
|
|
bindpass=$PASSWORD \
|
|
|
|
url=ldaps://138.91.247.105 \
|
2020-06-02 17:34:01 +00:00
|
|
|
schema=racf \
|
|
|
|
password_policy=racf_password_policy
|
|
|
|
```
|
|
|
|
|
|
|
|
## Password Generation
|
|
|
|
|
|
|
|
This engine previously allowed configuration of the length of the password that is generated
|
|
|
|
when rotating credentials. This mechanism has been deprecated in favor of
|
|
|
|
[password policies](/docs/concepts/password-policies). This means the `length` field should
|
|
|
|
no longer be used. The following password policy can be used to mirror the same behavior
|
|
|
|
that the `length` field provides:
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
length=<length>
|
|
|
|
rule "charset" {
|
|
|
|
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
|
|
|
}
|
2020-03-06 22:46:33 +00:00
|
|
|
```
|
|
|
|
|
2020-02-21 15:55:15 +00:00
|
|
|
## Password Rotation
|
|
|
|
|
|
|
|
Passwords can be managed in two ways:
|
|
|
|
|
|
|
|
* automatic time based rotation, and
|
|
|
|
* manual rotation.
|
|
|
|
|
|
|
|
### Auto Password Rotation
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
Passwords will automatically be rotated based on the `rotation_period` configured
|
|
|
|
in the static role (minimum of 5 seconds). When requesting credentials for a static
|
2020-02-21 15:55:15 +00:00
|
|
|
role, the response will include the time before the next rotation (`ttl`).
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
Auto-rotation is currently only supported for static roles. The `binddn` account used
|
|
|
|
by Vault should be rotated using the `rotate-root` endpoint to generate a password
|
2020-02-21 15:55:15 +00:00
|
|
|
only Vault will know.
|
|
|
|
|
|
|
|
### Manual Rotation
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
Static roles can be manually rotated using the `rotate-role` endpoint. When manually
|
2020-02-21 15:55:15 +00:00
|
|
|
rotated the rotation period will start over.
|
|
|
|
|
|
|
|
## Deleting Static Roles
|
|
|
|
|
2020-06-02 17:34:01 +00:00
|
|
|
Passwords are not rotated upon deletion of a static role. The password should be manually
|
2020-02-21 15:55:15 +00:00
|
|
|
rotated prior to deleting the role or revoking access to the static role.
|