Hi, we are trying to use our Jump Cloud LDAP as an auth method for vault I’m successful with using the users from the LDAP to connect to Vault but I can’t figure out how to assign policies to LDAP groups, every attempt I make to assign different policies to different groups is unsuccessful.
The results are confusing, either every user gets the same policy or neither of them gets any policy.
The process I used to set up the LDAP auth was as follow:
- I’ve enabled the LDAP auth method:
vault auth enable ldap
- configured the LDAP
vault write auth/ldap/config \ url="ldaps://ldap.jumpcloud.com" \ binddn="cn=<MY_USER>ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \ bindpass="<PASSWORD>" \ userdn="ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \ userattr="uid" \ groupfilter="(objectclass=groupOfNames)" \ groupdn="ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \ groupattr="cn" \ deny_null_bind=true \ insecure_tls=false
- Create vault policy
# Manage auth methods broadly across Vault path "auth/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Create, update, and delete auth methods path "sys/auth/*" { capabilities = ["create", "update", "delete", "sudo"] } # List auth methods path "sys/auth" { capabilities = ["read"] } # Create and manage ACL policies path "sys/policies/acl/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # To list policies path "sys/policies/acl" { capabilities = ["list"] } # List, create, update, and delete key/value secrets path "secret/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Create and manage secret engines broadly across Vault. path "sys/mounts/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Read health checks path "sys/health" { capabilities = ["read", "sudo"] } path "sys/capabilities" { capabilities = ["create", "update"] } path "sys/capabilities-self" { capabilities = ["create", "update"] } # Create and manage identities and groups path "identity/*" { capabilities = [ "create", "read", "update", "delete", "list" ] }
- Creat vault group (Admins) and use a ldap group (Admins) as the alias apply the policy to this group
The result in this scenario is that every user that logs in no meter if he belongs to the Admins group or not is assigned this policy.
The desired outcome will be that only the users that really belong to the Admin group in my LDAP will be assigned this policy and all other users will deny login or the very least will be dropped to the default policy