jumpCloud LDAP integration

Hi, we are trying to use our Jump Cloud LDAP as an auth method for vault I’m successful with using the users from the LDAP to connect to Vault but I can’t figure out how to assign policies to LDAP groups, every attempt I make to assign different policies to different groups is unsuccessful.
The results are confusing, either every user gets the same policy or neither of them gets any policy.

The process I used to set up the LDAP auth was as follow:

1. I’ve enabled the LDAP auth method: vault auth enable ldap
2. configured the LDAP

   vault write auth/ldap/config \
    url="ldaps://ldap.jumpcloud.com" \
    binddn="cn=<MY_USER>ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \
    bindpass="<PASSWORD>" \
    userdn="ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \
    userattr="uid" \
    groupfilter="(objectclass=groupOfNames)" \
    groupdn="ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \
    groupattr="cn" \
    deny_null_bind=true \
    insecure_tls=false
   

3. Create vault policy

   # Manage auth methods broadly across Vault
   path "auth/*"
   {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
   }
   
   # Create, update, and delete auth methods
   path "sys/auth/*"
   {
   capabilities = ["create", "update", "delete", "sudo"]
   }
   
   # List auth methods
   path "sys/auth"
   {
   capabilities = ["read"]
   }
   
   # Create and manage ACL policies
   path "sys/policies/acl/*"
   {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
   }
   
   # To list policies
   path "sys/policies/acl"
   {
   capabilities = ["list"]
   }
   
   # List, create, update, and delete key/value secrets
   path "secret/*"
   {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
   }
   
   # Create and manage secret engines broadly across Vault.
   path "sys/mounts/*"
   {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
   }
   
   # Read health checks
   path "sys/health"
   {
   capabilities = ["read", "sudo"]
   }
   
   path "sys/capabilities"
   {
   capabilities = ["create", "update"]
   }
   
   path "sys/capabilities-self"
   {
   capabilities = ["create", "update"]
   }
   
   # Create and manage identities and groups
   path "identity/*" { 
   capabilities = [ "create", "read", "update", "delete", "list" ]
   }
   

4. Creat vault group (Admins) and use a ldap group (Admins) as the alias apply the policy to this group

The result in this scenario is that every user that logs in no meter if he belongs to the Admins group or not is assigned this policy.

The desired outcome will be that only the users that really belong to the Admin group in my LDAP will be assigned this policy and all other users will deny login or the very least will be dropped to the default policy

Does no one have an idea how to accomplish what I’m asking?

The group filter is an LDAP search. When you specified (objectClass=groupOfNames) you are telling Vault “any group that exists”.

You must parametrize the ldap group search.

I don’t know your LDAP schema, but it looks like an inetOrgPerson. Start with the default filter by removing groupFilter from your configuration. If it does not work, use an ldap browser to find the right filter for you, maybe starting with (member={{.UserDN}}). Vault will replace {{.UserDN}} at runtime with the distinguished name of the user logging in.

Shameless plug : I have pull request waiting that implements a similar search for users.

Thank you, I’ll give it a go and update.
(member={{.UserDN}}) did the trick, thank you very much