Hello,
I’ve read in documentation about LDAP group that “We can also add specific LDAP users to additional (potentially non-LDAP) groups.”
Here is the command without users:
vault write auth/ldap/groups/scientists policies=foo,bar
How to add additional users?
I’ve unsuccessfully tested:
vault write auth/ldap/groups/scientists policies=foo,bar,myuser
vault write auth/ldap/groups/scientists policies=foo,bar users=myuser
Can you help me to find the correct syntax?
Thanks a lot
Hi @antoine,
I’m not certain but that might be hinting at the Identity secret engine: Identity - Secrets Engines | Vault by HashiCorp
Basically you would make two Identity groups for every LDAP group you configure - one external (to map to your LDAP group) and another internal which would have the external LDAP group as a member and any one-off users (entities) as members as well. The policy/policies would be attached to the internal group to grant permissions to the full set of members.