I want to use VAULT for storage and LDAP for login to 3rd party services. How this can be achieved? Or may be some how I can enable LDAP store in vault itself and use 3rd party services to connect to VAULT server via LDAP protocol?
Or may be it is possible to Sync VAULT users with LDAP? Again I want to store all the data in VAULT but for example connect LDAP to some of our services like routerOS or gitlab and use it for authentication. Probably I need some kind of option to sync users data from VAULT to LDAP server. is it possible?
You can certainly use an external LDAP to authenticate users for Vault and with some simple group mapping you can assign policies to various users based on their group membership(s).
I don’t believe you can identify via LDAP though so you can’t pass that initial authentication back out to a LDAP – but you could setup Dynamic Access to AWS, GCP, etc… The difference is “Dynamic Secret” vs. pure “auth”.
Thanks for the answer Aram, But what I am trying to do is to have all the user data stored in VAULT but use LDAP with that user info for authentication to other services.
Generally need the way to have sync from VAULT to LDAP and use LDAP for authentication to gitlab for example. May be need to make some export from VAULT and import to LDAP script for this. Not sure…
OR may be I can use VAULT itself as LDAP server and connect it for gitlab and google suite for example and others… hmmm Probably need to google it. The goal is to have only one place for managing team users and it should be VAULT
That’s not really how Vault’s identity system works.
How the identity system works is that you setup Vault as the auth provider, then configure the remote system to allow access to the user via roles.
Such as OIDC or OAuth (which you can use with GitLab):
You can even configure a remote IdP to be the main auth provider through Vault but the users would still need to be on Vault to access external resources.
Why is that your goal, though?
Vault is not really intended for this use case, so why are you so certain you want to use it in this way?
Again, why? Limited support in the other services?
I cannot recommend this architecture unless you are absolutely forced into it by poor support for other options in your other services.
Well it is because we want to have all in one place … and user management either. It would be great if that place can be VAULT.
But either we want something popular like LDAP protocol to be able to integrate to all needed 3rd party services. I have already managed to setup SSH access through vault to the server.
Probably centralized system for user management should be openLDAP. And users should be added in LDAP then just simply connect it to VAULT
Vault isn’t designed to be a fully featured user management system. You are better off managing users elsewhere and then just having Vault mapping LDAP groups through to policies.
You have to be more clear about use cases, identify management and user management are very different.
Can you advice any docs on such setup implementation?
Thank you very much for the reply