I’ve followed the tutorials and guide and have an issue.
I’ve setup LDAP auth, it works as AD users are able to authenticate without issue via CLI and UI
I’ve setup a KV v2 store at /security
I’ve setup a policy called ‘vault_security’ that should give full access to /security
I’ve setup an AD group called “Vault_Security”
I ran the following command to map that group to the above policy: ‘vault write auth/ldap/groups/Vault_Security policies=vault_security’
What I am experiencing is that no matter who logs into vault they get EVERY policy assigned to them Admin, Default, vault_security, etc. it not mapping properly based on the AD groups I have established and mapped to. I have no idea why this is happening?
variables when you defined your LDAP auth method. That’s what determines the top level DN and what CN is compared. The name of the group must match (case sensitive I believe)
Make sure your group DN is set. The LDAP search is indexed, so there is no real harm starting the search at the root of the directory. You can fix it later.
In your Vault configuration, make groupdn the shortest possible. Rule of thumb, remove everything but the DC=, to end up with something like DC=my-company,DC=com. YMMV.
The group filter is also important, and varies depending on your LDAP provider. For Active Directory you will have this:
(&(objectClass=group)(member={{.UserDN}}))
But for OpenLDAP and friends, with some group membership quirks might look more like
You can practice different search fileters using an LDAP browser. I use Apache Directory Studio.
Once you got your group search sorted out, find the cn attribute of your LDAP group. If the cn attribute is my-vault-group, or maybe Vault_Security, then the command to configure policies to it is this:
So that’s an Active Directory. I see two problems.
1.Group filter is wrong
Vault’s groupfilter configuration parameter should include the distinguished name of the user, available with the UserDN placeholder.
Change your filter to :
(&(objectClass=group)(member={{.UserDN}}))
That Active Directory group filter is mentionned here, but with the recursive search attribute. I’ve ran into infinite recursion in the past, might be fixed by now but I’d rather stay away from it.
2. Vault does not know how to match the group name
With the right filter, Vault will find your group. But you must tell it what attribute to use when looking up the name to match a policy.
Usually, groupattr is cn. That’s the short name you see in Microsoft Tools. For example, if you see this in Apache Directory Studio: