AD authentication and metadata

nicolas.dutertre · March 7, 2022, 9:08am

Hi,

I’m a newby in vault, and i have a question with ssh client ca.

Wth AD authentication, is it possible to use specifics attributes to create metatda values for users profiles at the time of authentication in a role?

Example : to sign a public ssh key, i use this metadata value {{identity.entity.metadata.ssh_username}} in SSH role.

vault write ssh-client-signer/roles/ssh-user -<<“EOH”
{
“algorithm_signer”: “rsa-sha2-256”,
“allow_user_certificates”: true,
"allowed_users": “{{identity.entity.meta.username}}”,
“allowed_users_template”: true,
“allowed_extensions”: “permit-pty”,
“default_extensions”: [
{
“permit-pty”: “”
}
],
“key_type”: “ca”,
“max_ttl”: “12h”,
“ttl”: “12h”,
}
EOH

*userPrincipalName → {{identity.entity.metadata.ssh_username}} *
description → {{identity.entity.metadata.team}}

Regards,

Thanks

aram · March 8, 2022, 11:13am

Are you trying to setup some sort of pre-filled metadata? I have never tried it but I don’t believe the metadata part of that template is processed after authentication, it’s just during creation so it wouldn’t be tied to the AD auth but the user.
Even then how would that help?

nicolas.dutertre · March 9, 2022, 9:01am

Hi,

yes, at the first authentication, how to create identity.entity.metadata.ssh_username, for example, with userprincipalname ldap attribute, andother attributes as description…
After some research I don’t think it’s possible.

Perhaps, for an evolution, it’s a good idea.

Regards

Topic		Replies	Views
SSH secrets provider and identity templating Vault	2	966	August 20, 2021
Dynamic group membership based on entity metadata Vault	1	408	November 5, 2021
PKI templating using identity Vault	1	167	February 4, 2024
Ldap auth login Vault	2	298	September 10, 2020
Question about certificate entity templating in policies Vault	2	431	March 23, 2022

AD authentication and metadata

Related topics