I have successfully enabled LDAP authentication with Vault. We are getting the correct roles based on LDAP group membership. I am trying to get the Kerberos authentication plugin working but the documentation is quite AD specific and I am in a pure Linux environment using generic MIT Krb5. I have setup many services to using GSSAPI authentication and have no issue with service accounts and keytabs. What is confusing is (1) what the vault service account that should be created (vault or vault.service.consul or HTTP/vault.service.consul. (2) We have no kerberos specific attributes in our current ldap schema. All users have entries as uid=USER,ou=people,dc=example,dc=com and all of the kerberos principals are the same as their uid. This is pretty standard mapping for many of our apps that strip off the REALM and use the principal as the username. Does anyone have a working example of setting up Vault Kerberos auth using MIT KRB5. I have tried man iterations of
vault write auth/kerberos/config/ldap and
vault login -method=kerberos using a vaild production account keytab that works for other GSSAPI apps. All and any help is greatly appreciated.
Here is some infor about my setup
KRB5 REALM = EXAMPLE.COM vault server is addressed as vault.service.consul prinicipal for the production user is dilbert@EXAMPLE.com ldap entries for dilbert are # dilbert, people, example.com dn: uid=dilbert,ou=people,dc=example,dc=com cn: dilbert objectClass: top objectClass: posixAccount uid: dilbert gecos: Dil Bert uidNumber: 2048 homeDirectory: /home/dilbert gidNumber: 2048 loginShell: /bin/bash