LDAP Group: add users


I’ve read in documentation about LDAP group that “We can also add specific LDAP users to additional (potentially non-LDAP) groups.”

Here is the command without users:

vault write auth/ldap/groups/scientists policies=foo,bar

How to add additional users?
I’ve unsuccessfully tested:

vault write auth/ldap/groups/scientists policies=foo,bar,myuser
vault write auth/ldap/groups/scientists policies=foo,bar users=myuser

Can you help me to find the correct syntax?

Thanks a lot

Hi @antoine,

I’m not certain but that might be hinting at the Identity secret engine: Identity - Secrets Engines | Vault by HashiCorp

Basically you would make two Identity groups for every LDAP group you configure - one external (to map to your LDAP group) and another internal which would have the external LDAP group as a member and any one-off users (entities) as members as well. The policy/policies would be attached to the internal group to grant permissions to the full set of members.