Hi
Hope someone can help me.
I have reviewed lots of posts trying to fix the issue i have but nothing tried has solved it.
Authentication has been enabled and configured for AD users. Despite having tried several ways to configure the following fields:
it seems hashicorp vault is not able to find groups when an AD user accesses.
thanks in advance
regards
NOTE: Open Source version.
Vault Version: 1.7.1
Operating System/Architecture: CentOS x64
Just for reference here are the defaults:
Group Filter: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
Group Attribute: cn
Group DN: (empty)
A note in regard to Group Filter - per the API documentation this should be (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) to support nested group resolution for Active Directory.
The Group DN should contain the DN of the OU/Container that all of your access groups that are tied to Vault authentication will be located. Users do not need to be in this OU/Container. If you have a fairly deep OU/Container structure this should be as close as possible to the groups used for Vault auth to reduce search scope.
Under the “Customize User Search” setting there are three attributes:
binddn - this is the DN of the Service Account you use for Vault to lookup accounts and membership info
User DN - this should contain the DN of the OU/Container that your user accounts reside in (again this should be as close as possible to your user accounts to narrow search scope)
bindpass - the password for the binddn account
The API documentation has a lot more details on these and additional parameters that may be useful: LDAP - Auth Methods - HTTP API | Vault by HashiCorp
Hopefully this helps a little bit. Additional details about your setup may be required to further troubleshoot.
