LDAP group applies policy, but policy seems to be ignored

aspitzer · October 5, 2023, 5:33pm

I have AD/LDAP setup, and groups are working fine. I can apply the policy to a group, and when I login from the command line, it shows the policy attached. I also deleted that group, verified it was gone, then applied it to a different group, and the policy was again applied to my user:

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
...
token_policies         ["default" "rsdkv-dev-rw"]
identity_policies      []
policies               ["default" "rsdkv-dev-rw"]
...

“rsdkv-dev-rw” being the policy that I created and assigned to a ldap group.

vault write -tls-skip-verify -f auth/ldap/groups/ccfusers policies=rsdkv-dev-rw

HOWEVER, when I login to the GUI, or from the command line, I dont see/have access to rsdkv/dev

I copied the policy to an ACL policy, and assigned it to a userpass user, and that user see/can access rsdkv/dev just fine.

Here is the policy that was both applied to the LDAP group, and also was used to create the ACL Policy:

path "rsdkv/" {
     capabilities = ["list"]
}

path "rsdkv/metadata/" {
     capabilities = ["list"]
}

path "rsdkv/data/" {
     capabilities = ["list"]
}

path "rsdkv/dev" {
     capabilities = ["create", "read", "update", "patch", "delete", "list"]
}

path "rsdkv/metadata/dev" {
     capabilities = ["create", "read", "update", "patch", "delete", "list"]
}

path "rsdkv/data/dev" {
     capabilities = ["create", "read", "update", "patch", "delete", "list"]
}

Any idea why ldap is ignoring the “rsdkv-dev-rw” policy for the ldap user? Or am I missing some other step?

This is vault 1.15.0 community edition on a RHEL8 vm.

Thanks!

EDIT: More info.
When I login as the “userpass” user, you can see that “aspitzer-rsdkv-acl-policy” (ACL Policy version that was a copy/paste of the policy above) is assigned to the users token_policies and policy lists, just like “rsdkv-dev-rw” was assigned to the ldap user above.

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token_policies         ["aspitzer-rsdkv-acl-policy" "default"]
identity_policies      []
policies               ["aspitzer-rsdkv-acl-policy" "default"]

aspitzer · October 6, 2023, 12:48pm

One thing that I did notice from above is that the ORDER of policies differ.

With the LDAP GROUP version, “default” is first.
With the ACL version, “default” is second. Not sure if that changes anything.

aspitzer · October 6, 2023, 1:00pm

Interestingly (or not)…

I cant seem to read the “rsdkv-dev-rw” policy when logging in with root/token.

LDAP USER gets this when logged in from CLI

...
token_renewable        true
token_policies         ["default" "rsdkv-dev-rw"]
identity_policies      []
policies               ["default" "rsdkv-dev-rw"]
...

But when ROOT user tries to view the policy, they get an error that there is no policy with that name. Is this expected?

aspitzer:~ $ vault login -tls-skip-verify method=token username=root
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
...
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
...

aspitzer@RWTDVAULT01:~ $ vault policy read -tls-skip-verify rsdkv-dev-rw
No policy named: rsdkv-dev-rw

aspitzer · October 6, 2023, 1:42pm

Where are the LDAP policies kept? Should be I seeing them in the “ACL Policies” tab, because I am not.

aspitzer · October 6, 2023, 1:58pm

Okay… I figured it out. Hopefully this will help someone else seeing the same issues.
It seems there is no error checking, which would be totally helpful.

This command ASSIGNS the policy “rsdkv-dev-rw” to the “ccfusers” AD group WHETHER OR NOT it actually exists.

vault write -tls-skip-verify -f auth/ldap/groups/ccfusers policies=rsdkv-dev-rw

I was under the impression that policies=rsdkv-dev-rw was read in when the command was run, but it is actually just a pointer to a policy called “rsdkv-dev-rw”, which may or may not exists.

I had to run this afterwards (or before) so that the ACL Policy exists (and can be seen in the ACS Policies tab)

vault policy write -tls-skip-verify rsdkv-dev-rw rsdkv-dev-rw

I used the same filename and policy name here, so that is a bit confusing.

This would make more sense:

vault policy write -tls-skip-verify rsdkv-dev-rw rsdkv-dev-rw.my.policy.file

Topic		Replies	Views
LDAP policies not being applied Vault vault	1	273	February 28, 2022
Help with LDAP Policy mapping Vault	6	6163	January 25, 2021
Why does Vault permit LDAP group mappings to non-existent policies? Vault	5	468	May 24, 2022
Ldap and vault policy assignemnt using ad group Vault	3	565	May 18, 2022
Vault user policy is different in command-line from the one in browser Vault	2	867	December 2, 2019

LDAP group applies policy, but policy seems to be ignored

Related topics