AD authentication and metadata

nicolas.dutertre · March 7, 2022, 9:08am

Hi,

I’m a newby in vault, and i have a question with ssh client ca.

Wth AD authentication, is it possible to use specifics attributes to create metatda values for users profiles at the time of authentication in a role?

Example : to sign a public ssh key, i use this metadata value {{identity.entity.metadata.ssh_username}} in SSH role.

vault write ssh-client-signer/roles/ssh-user -<<“EOH”
{
“algorithm_signer”: “rsa-sha2-256”,
“allow_user_certificates”: true,
"allowed_users": “{{identity.entity.meta.username}}”,
“allowed_users_template”: true,
“allowed_extensions”: “permit-pty”,
“default_extensions”: [
{
“permit-pty”: “”
}
],
“key_type”: “ca”,
“max_ttl”: “12h”,
“ttl”: “12h”,
}
EOH

*userPrincipalName → {{identity.entity.metadata.ssh_username}} *
description → {{identity.entity.metadata.team}}

Regards,

Thanks

aram · March 8, 2022, 11:13am

Are you trying to setup some sort of pre-filled metadata? I have never tried it but I don’t believe the metadata part of that template is processed after authentication, it’s just during creation so it wouldn’t be tied to the AD auth but the user.
Even then how would that help?

nicolas.dutertre · March 9, 2022, 9:01am

Hi,

yes, at the first authentication, how to create identity.entity.metadata.ssh_username, for example, with userprincipalname ldap attribute, andother attributes as description…
After some research I don’t think it’s possible.

Perhaps, for an evolution, it’s a good idea.

Regards