Dynamic LDAP Group Access

How can I configure vault to dynamically enable LDAP (Active Directory specifically) users to log in, and then have access to read/write secrets to a unique path for each group they are in without creating thousands of group definitions?

I have Vault setup with LDAP. This works as expected, and I can log in with an AD user without problems, and can create a group in Vault and have a user login with AD and get access to the appropriate secrets.

User1 - Groups (accounting, finance, all_employees)
User2 - Groups (IT, Engineering_North, all_employees)

I’d like for user1 to be able to log in and then be able to write to
kv/secrets/group/accounting*
kv/secrets/group/finance*
kv/secrets/group/all_employees*

For individual users, I can do this dynamically, without having to specify thousands of users or policies.

I just create a policy with:

path “kv/secrets/user/{{identity.entity.aliases.auth_ldap_xxxxxx.name}}/*” {
capabilities = [“create”, “update”, “read”, “delete”, “list”]
}

Then if user1 logs in he can write to kv/secrets/user/user1, but not kv/secrets/user/user2 as expected. I’d like to do the same for groups.

Goal:
create something similar to the policy I mention above, but instead of giving users the ability to write to a path with their username, enable them to write to a path with a group name that they are a member of. We have thousands of users, most who are in a couple dozen groups, and thousands of groups, so I’m really looking to do this without creating 10000 policies/groups.

Thanks!!

1 Like

I guess you will need to work with ‘identities’ in vault

Hello,

Here are all available templates to be used in policies. I think identity.groups.ids.<group id>.name is what you are looking for, although the path might need some adjusting as well.

Martin

Thanks all for the responses. @martinhristov90 - unfortunately identity.groups.ids..name requires the group id be specified. In our case, we’re trying to avoid needing to specify a policy for each of the thousands of groups.
I’ve had tried all of the relevant looking identity entries (which is what I use for users in the example), but for groups that does not work.
For others looking to do the same, it seems the policy template to dynamically allow users access to a path based on their group membership is not possible with the open source version of vault. Users with an enterprise license could do this with Sentinel, but unfortunately, I don’t have access to that.

I beleive you already have a thousand groups in your LDAP that you can identify, because if you didn’t then there would be no mapping to speak of. Might not be a thousand, but too many to edit and track manually.

This is really a use case for Vault Enterprise with Sentinel. You can parse the values in the token at runtime and make a policiy descision as code.

But on Vault opensource I’m afraid you must script your way through this: read the groups, create a policy, map the policy. Using the Identity backend for the mapping will allow you to reuse the mapping with another authentication method one day, but it is a little more code for you to write in that script.