I use the LDAP user auth method. I want to be able to automatically revoke a user when their LDAP object is disabled or locked out.
Are there any projects which already attempt to do this, or am I going to need to build it from the ground up?
Thanks in advance.
I don’t think there is any easy way of locked out an existing user who has already authenticated prior to the account being disabled. You would have to go through every accessor and check it against the user and revoke that token, but if the user had created an orphan token it would not be attached to the auth method anymore.
The easiest way to reduce the period they would have access is to have a very short term TTL on the auth. We set ours to a default of 24 hours, I also consulted for a bank that set their TTL to 8 hours so that limits the amount of time that you’re exposed.
There is actually an easy way to lock out an existing user - but only if you don’t let anyone create orphan tokens. You can set the
disabled flag on the identity entity: https://www.vaultproject.io/api-docs/secret/identity/entity#disabled
It still requires external processing, though, to watch LDAP and apply the changes to Vault.
On a partially related note, it turns out that Vault has a completely undocumented feature (as far as I can tell), that when you authenticate with the LDAP auth method, it saves your LDAP password internally. If/when you ever renew that token, it uses the saved password to retry authentication with the LDAP server, and blocks the renewal if authentication fails.
This is not quite what you asked for, as for this to be any use you’d have to reduce your token TTLs to be fairly short and expect people to renew them often - but it seemed worth mentioning, as it’s somewhat adjacent to the problem you’re looking into.