LDAP, user login does not populate the GUI

When I login via LDAP, my gui (which is logged in as root, with all necessary permissions), under the access tab , under ldap, under users is empty, and so is the groups, the user entry does however show up in the entities tab, but here too the group does not.

Can anyone let me know if this is the normal case? or am I doing something wrong ? or is it a bug?

It’s a little confusing b/c I think the LDAP settings you’re looking at are an older way of doing things before the Identity system was ready.

For the LDAP auth method, the “users” and “groups” page are for mapping policies to a user, or the members of the group. So you won’t see anything in here unless you’ve setup policy mappings. It’s not for showing entities present in LDAP.

The other section you’ve noticed is the Users and Groups outside the LDAP auth method. This does show user entities who have logged in, and is the Identity way of managing users and groups. They get a vault specific entity ID, and then an alias to one or more auth methods. So you might see entity_12345678 that also has an alias to username = “foo” in auth_ldap_87654321. Groups are similar, except only external groups can have aliases, and each group can only have one alias to a single auth method. And as users login you will see them appear in the Members tab of the external groups you’ve configured. You can also map policies to users or groups from this section.

I’d recommend sticking with one system or the other. Personally, I use the Identity way to map my policies and don’t do anything with policy mapping in the LDAP auth method. So if I have an LDAP group called “Vault Super Admins”, I go into the Identity Groups (the one outside the auth methods), create an external one called “Vault Super Admins”, add an alias to the LDAP auth method called “Vault Super Admins” (<— this is what actually connects the Vault Identity group to the LDAP group, the name must be exactly as it is in LDAP), and then attach my policies there.

1 Like

Thanks for your in-depth answer. I now have a few more questions regarding groups. Using the identity way, A user got created as an alias, but their groups didn’t, so to have them auto attach, I have to manually create the groups and link them as aliases?

Yes. The LDAP method does not automatically create groups.

Ok I understand it all now , thanks so much for your help and time. :slight_smile:

@sbutler I’ve followed your reply created a new external group, and added an alias for LDAP with EXACT same name as it is on the AD, then attach relevant policies
Screenshot group
Screenshot group alias
But not sure how the match between my users is going to happen. I’ve taken a look at my entity ID (that was created after login with AD) and didn’t find any groups or anything taken from AD.

User screenshot
entity groups screenshot

What is wrong here? How the user can be match to the group?

Edit:
by this video: https://www.youtube.com/watch?v=aGp8pb7KRIo, seem we can use group in the ldap to match policy, and it’s work pretty well :slight_smile: