Dynamic LDAP Group Access

How can I configure vault to dynamically enable LDAP (Active Directory specifically) users to log in, and then have access to read/write secrets to a unique path for each group they are in without creating thousands of group definitions?

I have Vault setup with LDAP. This works as expected, and I can log in with an AD user without problems, and can create a group in Vault and have a user login with AD and get access to the appropriate secrets.

User1 - Groups (accounting, finance, all_employees)
User2 - Groups (IT, Engineering_North, all_employees)

I’d like for user1 to be able to log in and then be able to write to
kv/secrets/group/accounting*
kv/secrets/group/finance*
kv/secrets/group/all_employees*

For individual users, I can do this dynamically, without having to specify thousands of users or policies.

I just create a policy with:

path “kv/secrets/user/{{identity.entity.aliases.auth_ldap_xxxxxx.name}}/*” {
capabilities = [“create”, “update”, “read”, “delete”, “list”]
}

Then if user1 logs in he can write to kv/secrets/user/user1, but not kv/secrets/user/user2 as expected. I’d like to do the same for groups.

Goal:
create something similar to the policy I mention above, but instead of giving users the ability to write to a path with their username, enable them to write to a path with a group name that they are a member of. We have thousands of users, most who are in a couple dozen groups, and thousands of groups, so I’m really looking to do this without creating 10000 policies/groups.

Thanks!!

1 Like