Authorization through OIDC and LDAP

Hi all,

In our infrastructure, we have both OIDC and LDAP services. We rely on thousands of LDAP groups for most of our authentication/authorization processes.

I enabled LDAP authorization with LDAP and mapped the groups with the different policies. This is something that works perfectly and I can manage to make it work. Now, our OIDC service doesn’t return a list of roles (mapped to groups) by default, so even if I map the roles with the policies, nothing works.

This is done by design as given users could be in more than 300 groups (some even thousands) making the OIDC token too big for some services. To overcome this issue, the service allow a second call to their API to fetch the list of groups.

My questions here are:

  • How could I use OIDC if I’m forced to perform that second query to fetch the groups?
  • Is there a way to perform an authentication with OIDC (user with valid credentials) and then an authorization through LDAP (using the LDAP group policy mapping)?

Feel free to ask any questions as this is slightly complex to explain in a short post.

Thanks in advance for any help.

You may try to achieve this by adding templated policy to every entity logged into Vault with OIDC by default, most probably additionally tweak to internal Entity Identity backend to have shared identity groups between OIDC and LDAP will be required. IIRC in general authentication backends in Vault (including LDAP) do not require any token, exception may be Kubernetes.