Ldap mapping vs Identity external groups


I’m currently using ldap auth (Active Directory) for all human.

I created a mapping between LDAP group <-> AD groups.
I can do the same mapping with the Identity Engine (groups alias).

Does someone know the pro/cons of each method ?

Thanks you

I attempted to summarize the features of both use cases in my Vault Policy Guide.

In short, you’ll have a lot more flexibility assigning and evaluating policies using the Identity Groups than you will assigning policy directly to roles, but it comes at a cost of added complexity.

1 Like