luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/auth/ldap.html.md
Jeff Escalante a3dfde5cec New Docs Website (#5535) 
* conversion stage 1

* correct image paths

* add sidebar title to frontmatter

* docs/concepts and docs/internals

* configuration docs and multi-level nav corrections

* commands docs, index file corrections, small item nav correction

* secrets converted

* auth

* add enterprise and agent docs

* add extra dividers

* secret section, wip

* correct sidebar nav title in front matter for apu section, start working on api items

* auth and backend, a couple directory structure fixes

* remove old docs

* intro side nav converted

* reset sidebar styles, add hashi-global-styles

* basic styling for nav sidebar

* folder collapse functionality

* patch up border length on last list item

* wip restructure for content component

* taking middleman hacking to the extreme, but its working

* small css fix

* add new mega nav

* fix a small mistake from the rebase

* fix a content resolution issue with middleman

* title a couple missing docs pages

* update deps, remove temporary markup

* community page

* footer to layout, community page css adjustments

* wip downloads page

* deps updated, downloads page ready

* fix community page

* homepage progress

* add components, adjust spacing

* docs and api landing pages

* a bunch of fixes, add docs and api landing pages

* update deps, add deploy scripts

* add readme note

* update deploy command

* overview page, index title

* Update doc fields

Note this still requires the link fields to be populated -- this is solely related to copy on the description fields

* Update api_basic_categories.yml

Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.

* Add bottom hero, adjust CSS, responsive friendly

* Add mega nav title

* homepage adjustments, asset boosts

* small fixes

* docs page styling fixes

* meganav title

* some category link corrections

* Update API categories page

updated to reflect the second level headings for api categories

* Update docs_detailed_categories.yml

Updated to represent the existing docs structure

* Update docs_detailed_categories.yml

* docs page data fix, extra operator page remove

* api data fix

* fix makefile

* update deps, add product subnav to docs and api landing pages

* Rearrange non-hands-on guides to _docs_

Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.

* WIP Redirects for guides to docs

* content and component updates

* font weight hotfix, redirects

* fix guides and intro sidenavs

* fix some redirects

* small style tweaks

* Redirects to learn and internally to docs

* Remove redirect to `/vault`

* Remove `.html` from destination on redirects

* fix incorrect index redirect

* final touchups

* address feedback from michell for makefile and product downloads
2018-10-19 08:40:11 -07:00

11 KiB
Raw Blame History

layout page_title sidebar_title sidebar_current description
docs LDAP - Auth Methods LDAP docs-auth-ldap The "ldap" auth method allows users to authenticate with Vault using LDAP credentials.

LDAP Auth Method

The ldap auth method allows authentication using an existing LDAP server and user/password credentials. This allows Vault to be integrated into environments using LDAP without duplicating the user/pass configuration in multiple places.

The mapping of groups and users in LDAP to Vault policies is managed by using the users/ and groups/ paths.

A Note on Escaping

It is up to the administrator to provide properly escaped DNs. This includes the user DN, bind DN for search, and so on.

The only DN escaping performed by this method is on usernames given at login time when they are inserted into the final bind DN, and uses escaping rules defined in RFC 4514.

Additionally, Active Directory has escaping rules that differ slightly from the RFC; in particular it requires escaping of '#' regardless of position in the DN (the RFC only requires it to be escaped when it is the first character), and '=', which the RFC indicates can be escaped with a backslash, but does not contain in its set of required escapes. If you are using Active Directory and these appear in your usernames, please ensure that they are escaped, in addition to being properly escaped in your configured DNs.

For reference, see RFC 4514 and this TechNet post on characters to escape in Active Directory.

Authentication

Via the CLI

$ vault login -method=ldap username=mitchellh
Password (will be hidden):
Successfully authenticated! The policies that are associated
with this token are listed below:

admins

Via the API

$ curl \
    --request POST \
    --data '{"password": "foo"}' \
    http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh

The response will be in JSON. For example:

{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": [
      "admins"
    ],
    "metadata": {
      "username": "mitchellh"
    },
    "lease_duration": 0,
    "renewable": false
  }
}

Configuration

Auth methods must be configured in advance before users or machines can authenticate. These steps are usually completed by an operator or configuration management tool.

  1. Enable the ldap auth method:

    $ vault auth enable ldap

  2. Configure connection details for your LDAP server, information on how to authenticate users, and instructions on how to query for group membership. The configuration options are categorized and detailed below.

Connection parameters

  • url (string, required) - The LDAP server to connect to. Examples: ldap://ldap.myorg.com, ldaps://ldap.myorg.com:636. This can also be a comma-delineated list of URLs, e.g. ldap://ldap.myorg.com,ldaps://ldap.myorg.com:636, in which case the servers will be tried in-order if there are errors during the connection process.
  • starttls (bool, optional) - If true, issues a StartTLS command after establishing an unencrypted connection.
  • insecure_tls - (bool, optional) - If true, skips LDAP server SSL certificate verification - insecure, use with caution!
  • certificate - (string, optional) - CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

Binding parameters

There are two alternate methods of resolving the user object used to authenticate the end user: Search or User Principal Name. When using Search, the bind can be either anonymous or authenticated. User Principal Name is a method of specifying users supported by Active Directory. More information on UPN can be found here.

Binding - Authenticated Search

  • binddn (string, optional) - Distinguished name of object to bind when performing user and group search. Example: cn=vault,ou=Users,dc=example,dc=com
  • bindpass (string, optional) - Password to use along with binddn when performing user search.
  • userdn (string, optional) - Base DN under which to perform user search. Example: ou=Users,dc=example,dc=com
  • userattr (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: sAMAccountName, cn, uid

Binding - Anonymous Search

  • discoverdn (bool, optional) - If true, use anonymous bind to discover the bind DN of a user
  • userdn (string, optional) - Base DN under which to perform user search. Example: ou=Users,dc=example,dc=com
  • userattr (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: sAMAccountName, cn, uid
  • deny_null_bind (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is true.

Binding - User Principal Name (AD)

  • upndomain (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as [username]@UPNDomain. Example: example.com, which will cause vault to bind as username@example.com.

Group Membership Resolution

Once a user has been authenticated, the LDAP auth method must know how to resolve which groups the user is a member of. The configuration for this can vary depending on your LDAP server and your directory schema. There are two main strategies when resolving group membership - the first is searching for the authenticated user object and following an attribute to groups it is a member of. The second is to search for group objects of which the authenticated user is a member of. Both methods are supported.

  • groupfilter (string, optional) - Go template used when constructing the group membership query. The template can access the following context variables: [UserDN, Username]. The default is (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})), which is compatible with several common directory schemas. To support nested group resolution for Active Directory, instead use the following query: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})).
  • groupdn (string, required) - LDAP search base to use for group membership search. This can be the root containing either groups or users. Example: ou=Groups,dc=example,dc=com
  • groupattr (string, optional) - LDAP attribute to follow on objects returned by groupfilter in order to enumerate user group membership. Examples: for groupfilter queries returning group objects, use: cn. For queries returning user objects, use: memberOf. The default is cn.

Note: When using Authenticated Search for binding parameters (see above) the distinguished name defined for binddn is used for the group search. Otherwise, the authenticating user is used to perform the group search.

Use vault path-help for more details.

Examples:

Scenario 1

  • LDAP server running on ldap.example.com, port 389.
  • Server supports STARTTLS command to initiate encryption on the standard port.
  • CA Certificate stored in file named ldap_ca_cert.pem
  • Server is Active Directory supporting the userPrincipalName attribute. Users are identified as username@example.com.
  • Groups are nested, we will use LDAP_MATCHING_RULE_IN_CHAIN to walk the ancestry graph.
  • Group search will start under ou=Groups,dc=example,dc=com. For all group objects under that path, the member attribute will be checked for a match against the authenticated user.
  • Group names are identified using their cn attribute.
$ vault write auth/ldap/config \
    url="ldap://ldap.example.com" \
    userdn="ou=Users,dc=example,dc=com" \
    groupdn="ou=Groups,dc=example,dc=com" \
    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
    groupattr="cn" \
    upndomain="example.com" \
    certificate=@ldap_ca_cert.pem \
    insecure_tls=false \
    starttls=true
...

Scenario 2

  • LDAP server running on ldap.example.com, port 389.
  • Server supports STARTTLS command to initiate encryption on the standard port.
  • CA Certificate stored in file named ldap_ca_cert.pem
  • Server does not allow anonymous binds for performing user search.
  • Bind account used for searching is cn=vault,ou=users,dc=example,dc=com with password My$ecrt3tP4ss.
  • User objects are under the ou=Users,dc-example,dc=com organizational unit.
  • Username passed to vault when authenticating maps to the sAMAccountName attribute.
  • Group membership will be resolved via the memberOf attribute of user objects. That search will begin under ou=Users,dc=example,dc=com.
$ vault write auth/ldap/config \
    url="ldap://ldap.example.com" \
    userattr=sAMAccountName \
    userdn="ou=Users,dc=example,dc=com" \
    groupdn="ou=Users,dc=example,dc=com" \
    groupfilter="(&(objectClass=person)(uid={{.Username}}))" \
    groupattr="memberOf" \
    binddn="cn=vault,ou=users,dc=example,dc=com" \
    bindpass='My$ecrt3tP4ss' \
    certificate=@ldap_ca_cert.pem \
    insecure_tls=false \
    starttls=true
...

Scenario 3

  • LDAP server running on ldap.example.com, port 636 (LDAPS)
  • CA Certificate stored in file named ldap_ca_cert.pem
  • User objects are under the ou=Users,dc=example,dc=com organizational unit.
  • Username passed to vault when authenticating maps to the uid attribute.
  • User bind DN will be auto-discovered using anonymous binding.
  • Group membership will be resolved via any one of memberUid, member, or uniqueMember attributes. That search will begin under ou=Groups,dc=example,dc=com.
  • Group names are identified using the cn attribute.
$ vault write auth/ldap/config \
    url="ldaps://ldap.example.com" \
    userattr="uid" \
    userdn="ou=Users,dc=example,dc=com" \
    discoverdn=true \
    groupdn="ou=Groups,dc=example,dc=com" \
    certificate=@ldap_ca_cert.pem \
    insecure_tls=false \
    starttls=true
...

LDAP Group -> Policy Mapping

Next we want to create a mapping from an LDAP group to a Vault policy:

$ vault write auth/ldap/groups/scientists policies=foo,bar

This maps the LDAP group "scientists" to the "foo" and "bar" Vault policies. We can also add specific LDAP users to additional (potentially non-LDAP) groups. Note that policies can also be specified on LDAP users as well.

$ vault write auth/ldap/groups/engineers policies=foobar
$ vault write auth/ldap/users/tesla groups=engineers policies=zoobar

This adds the LDAP user "tesla" to the "engineers" group, which maps to the "foobar" Vault policy. User "tesla" itself is associated with "zoobar" policy.

Finally, we can test this by authenticating:

$ vault login -method=ldap username=tesla
Password (will be hidden):
Successfully authenticated! The policies that are associated
with this token are listed below:

default, foobar, zoobar

Note on policy mapping

It should be noted that user -> policy mapping happens at token creation time. And changes in group membership on the LDAP server will not affect tokens that have already been provisioned. To see these changes, old tokens should be revoked and the user should be asked to reauthenticate.

API

The LDAP auth method has a full HTTP API. Please see the LDAP auth method API for more details.