Active Directory Dynamic credentials

Vault
1

I’m trying to configure the dynamic-role of LDAP with an Active Directory. I always get stuck at the exact same step. I created 3 files, creation.ldif, delete.ldif and rollback.ldif. When I try to do this in the CLI :

vault write ldap/role/dynamic-role creation_ldif=creation.ldif default_ttl=1h max_ttl=24h deletion_ldif=deletion.ldif rollback_ldif=rollback.ldif username_template="v_{{unix_time}}"

I always get same error :

  • 1 error occurred:
    * invalid creation_ldif: LDIF is invalid: Error in line 2: missing ‘dn:’

I even tried copying the example from the documentation : LDAP - Secrets Engine | Vault | HashiCorp Developer without making any change (knowing it doesn’t match my AD) but even with that creation.ldif sample I get same error.

dn: CN={{.Username}},OU=HashiVault,DC=adtesting,DC=lab
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userPrincipalName: {{.Username}}@adtesting.lab
sAMAccountName: {{.Username}}

dn: CN={{.Username}},OU=HashiVault,DC=adtesting,DC=lab
changetype: modify
replace: unicodePwd
unicodePwd::{{ printf "%q" .Password | utf16le | base64 }}
-
replace: userAccountControl
userAccountControl: 66048
-

dn: CN=test-group,OU=HashiVault,DC=adtesting,DC=lab
changetype: modify
add: member
member: CN={{.Username}},OU=HashiVault,DC=adtesting,DC=lab
-

Anyone having an idea what I’m missing?

2

You are passing the literal string creation.ldif not the contents of the file.

You need to add an @ sign before the file name.

3

Thanks that did it. Now I just need to assign proper permission to the Vault account I used to connect to the Active Directory but that should be easy to fix

	* failed to create user: failed to execute statements: failed to run AddRequest: LDAP Result Code 50 "Insufficient Access Rights": 00000005: SecErr: DSID-03152E29, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
4

Working fine after fixing the delegation permissions on the OU.
It does exactly what I need.

When I connect it to a target in Boundary, an Active Directory account is created when someone request RDP access to a server, that account is assign to a group I chose and it’s valid for a limited time.