LDAP authentication with nested groups

We set up LDAP authentication within Vault with the following parameters:
userattr: samaccountname
groupattr: memberOf
groupfilter: (&(objectClass=user)(sAMAccountName={{.Username}}))

This works well, however it only returns the direct groups which the user is a member of. Some of the groups authorized in our Vault contain other groups, so we need to check indirect groups as well.

The Vault manual LDAP - Auth Methods | Vault by HashiCorp contains a suggestion to use the Active Directory LDAP_MATCHING_RULE_IN_CHAIN function, however this turns the whole group lookup upside down: Instead of fetching the user account from the LDAP server and checking its memberOf attribute, Vault has to cycle through all groups and check if the user is a member of each of them. This is very inefficient and takes multiple minutes to complete.

Is there any other way to perform a recursive group lookup in Vault?
I’d like to do something like below (in pseudo-code) and run through all groups recursively of a given user, but I’m unsure if this can be implemented in Vault:

ListGroupMembers($groupdn) {
$members = ldapsearch($groupdn).Members # Get all members of a group
foreach $member in $members { # Cycle through all members
if ($member.type == “group”) { ListGroupMembers($member) } # If the member is another group, call the function again with this subgroup
print $groupdn # Print every group found
$groups = ldapsearch($user).memberOf # Get direct groups of a user
ListGroupMembers($groups) # Will print all groups and nested groups this user is a member of without having to run through all existing groups

Well, the group membership search code is opensource, so yes it could be done.

I just wrote a pull request that enhances the user search logic. I am just a guy in his basement, not an Hashicorp employee. I would say the implenting this is not really hard, but you need to write the documentation, maybe some UI code and tests. And wait.

I suggest that you make a request for enhancement in Github and see if it gets any traction. Post the link and meet you there :wink:

1 Like

I added code awhile ago to this auth method to enable tokenGroups lookup. If you use that it should be very quick and do what you want. At some point in time though the option never made it to the public docs, but I just checked and the code’s all there. Update the LDAP config with “use_token_groups: true” and you should see much improved LDAP group resolution on AD.


Wow that was easy. Simply flip use_token_groups to true and everything starts working with recursive / nested group lookups in AD. The lookup takes about 0,03 seconds in an Active Directory with millions of groups. Thank you!

As a precondition it is necessary to change the groupfilter so that it searches for user objects, not group objects, like “groupfilter = (&(objectClass=user)(sAMAccountName={{.Username}}))”. Also groupattr has to be set to memberOf and the groupdn point to a location where the user objects can be found.

The UI of Vault actually contains a tooltip which explains: “If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
But in my mind I linked this option to Vault tokens and never bothered to check what it actually does.

1 Like