Apply policy to all users who authenticate through LDAP

weexpectedTHIS · April 2, 2020, 7:32pm

Is it possible to apply a policy to all users who authenticate through LDAP?
I’ve looked through the available template policy parameters available and none of them seem to mention the authentication.

twmcelroy · April 2, 2020, 8:45pm

Maybe my experience can help.
We have Vault users authenticated through LDAP (to AD). Here is my definition in terraform for that ability
resource “vault_ldap_auth_backend_group” “ldap_group” {
groupname = “your group name”
policies = [“your policy”]
backend = vault_ldap_auth_backend.ldap.path
}

Also in the UI go to the Auth MEthods, choose your LDAP, and then create a group. You just type the name of the group. Make sure the group is in the group DN in the LDAP setup.

weexpectedTHIS · April 2, 2020, 11:26pm

Thanks for that information! I’m guessing that your answer implies there is not a way to apply a policy to all ldap users, but rather you have to find a group that encompasses the users you want to apply the policy to.

twmcelroy · April 3, 2020, 12:49am

That’s what we have done. AD is also a mess generally to me.
No I haven’t tried to get all users before.

dewdrop01 · April 10, 2020, 8:18pm

You may find what you are looking for here:

The policies that are defined here will be the base policies that get assigned to all authenticated LDAP users irrespective of whether the user is part of 0 or 100 groups.

You can always supplement additional policies to users at group level or even at the user level to further extend additional policies.

twmcelroy · December 4, 2020, 3:48pm

That error looks like it is having trouble authenticating to the Vault itself. You can share without the token if you want for the provider “vault” {} but that error generally comes from an authentication error.

twmcelroy · December 7, 2020, 2:51pm

I thought you were still working on setting up LDAP authorization for Vault. Can you login to Vault via LDAP on the CLI/UI? That does need to be set up first before you can authenticate via LDAP. So you might need to do token, set up the LDAP auth with terraform, then you can switch your terraform provider to use LDAP authentication.
I have not used that way to authenticate before, but it is appealing for future projects.

twmcelroy · December 8, 2020, 8:23pm

I don’t see anything missing from your provider. You could set address under provider (outside auth_login) to make sure it is connecting. basically, hardcode it all then step out piece by piece to environment variables and terraform variables. Finally, do you have TLS turned on the vault server? Are you authenticating via http instead of https?
Unfortunately I don’t have a vault server set up at the moment with LDAP configured so I can’t test it.

twmcelroy · December 9, 2020, 2:35pm

That could be it. There is a part of the provider for ca_cert_file/ca_cert_dir
Docs overview | hashicorp/vault | Terraform Registry

twmcelroy · December 9, 2020, 3:24pm

I’m not sure. Like I said I haven’t used this type of login. Just throwing out ideas.