Hi,
this Jenkins configuration page is all the information I have about our LDAP (I do have the concealed password). Can I configure vault for ldap authentication with that? If so, what goes where? I’m a bit lost here. I’d be very thankful for a vault-cli command.
There isn’t enough information here but this is close to what you need.
vault write auth/ldap/config \
url="ldap://{{server}}" \
userattr=sAMAccountName \
userdn="ou=User_Objects,ou={{... }},dc=com" \
groupdn="ou={{vault_group}},ou=Group_Objects,ou={{....}},dc=com" \
groupfilter="(&(objectClass=person)(uid={{.Username}}))" \
groupattr="memberOf" \
binddn="{{manager DN}}" \
bindpass='{{manager password' \
certificate=@/{{path}}/{{certificate}} \
insecure_tls=false \
starttls=trueThrough a bit of trickery I also got some information on my user
User ID: confus
User DN: cn=Full Name,ou=Division,ou=Office,ou=Country,ou=Team Users,dc=Some,dc=Subdomain,dc=Top
User Display Name: Full Name
LDAP Group membership:
TeamA
RegionGroup
Can even use ldapsearch to output user information. Does that help me in any way? I know next to nothing about LDAP and it confuses me profoundly (pun intended 
)
Think of it as a folder structure, each ou is another folder under the previous … left to right. CN are containers, think of them as drive letters or mount points in a filesystem. The OU are folders in that filesystem under the container.
What the groupdn is asking for, is which folder should I search for the user that is trying to authenticate. The groupFilter is telling the auth system what value to search for the username.
Normally in LDAP it’s whatever you have choosen, but ActiveDirectory has a specific search k/v for the username called sAMAccountName and that’s the attribute of the user that tells AD what the account name is.
Okay, thanks everyone, the ultimate trick that did it for me was that I needed upndomain=SUBDOMAIN.DOMAIN.TOP, but there were other small things.