Help with LDAP Policy mapping

Hello,

I am completely new to vault so please be gentle.

I’ve followed the tutorials and guide and have an issue.
I’ve setup LDAP auth, it works as AD users are able to authenticate without issue via CLI and UI
I’ve setup a KV v2 store at /security
I’ve setup a policy called ‘vault_security’ that should give full access to /security
I’ve setup an AD group called “Vault_Security”
I ran the following command to map that group to the above policy: ‘vault write auth/ldap/groups/Vault_Security policies=vault_security’

What I am experiencing is that no matter who logs into vault they get EVERY policy assigned to them Admin, Default, vault_security, etc. it not mapping properly based on the AD groups I have established and mapped to. I have no idea why this is happening?

Can someone help point out my flaw?

Check your

groupfilter
groupcn

variables when you defined your LDAP auth method. That’s what determines the top level DN and what CN is compared. The name of the group must match (case sensitive I believe)

Paste the output of vault read auth/config/ldap, we will see the group mappings. It will help us help you.

@ixe013 I tried several times to get the output and i get this:
➜ ~ vault read auth/config/ldap
No value found at auth/config/ldap

Sorry, typo. That’s vault read auth/ldap/config

Make sure your group DN is set. The LDAP search is indexed, so there is no real harm starting the search at the root of the directory. You can fix it later.

In your Vault configuration, make groupdn the shortest possible. Rule of thumb, remove everything but the DC=, to end up with something like DC=my-company,DC=com. YMMV.

The group filter is also important, and varies depending on your LDAP provider. For Active Directory you will have this:

(&(objectClass=group)(member={{.UserDN}}))

But for OpenLDAP and friends, with some group membership quirks might look more like

(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

You can practice different search fileters using an LDAP browser. I use Apache Directory Studio.

Once you got your group search sorted out, find the cn attribute of your LDAP group. If the cn attribute is my-vault-group, or maybe Vault_Security, then the command to configure policies to it is this:

vault write auth/users/groups/Vault_Security policies=my-policy1,my-policy2

So that’s an Active Directory. I see two problems.

1.Group filter is wrong
Vault’s groupfilter configuration parameter should include the distinguished name of the user, available with the UserDN placeholder.

Change your filter to :

(&(objectClass=group)(member={{.UserDN}}))

That Active Directory group filter is mentionned here, but with the recursive search attribute. I’ve ran into infinite recursion in the past, might be fixed by now but I’d rather stay away from it.

2. Vault does not know how to match the group name
With the right filter, Vault will find your group. But you must tell it what attribute to use when looking up the name to match a policy.

Usually, groupattr is cn. That’s the short name you see in Microsoft Tools. For example, if you see this in Apache Directory Studio:

Then you will map an LDAP group to a Vault policy with:

vault write auth/users/groups/RS-LD_5780_VAULT_SUPPORTL2_STG policies=my-policy1,my-policy2

@ixe013 Thank you so much for the help!
This worked and my LDAP group mapping is now working as expected.
Truly Appreciate it!

1 Like