I’ve set up LDAP auth using FreeIPA as the source, with the following dumped from vault read auth/ldap/config:
Key Value
--- -----
anonymous_group_search false
binddn uid=vault_readonly,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com
case_sensitive_names false
certificate -----BEGIN CERTIFICATE-----<snip>-----END CERTIFICATE-----
deny_null_bind true
discoverdn false
groupattr cn
groupdn cn=groups,cn=accounts,dc=my,dc=domain,dc=com
groupfilter (&(uid={{.Username}})(objectClass=person))
insecure_tls false
starttls false
tls_max_version tls12
tls_min_version tls12
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
upndomain n/a
url ldaps://ipa.my.domain.com
use_pre111_group_cn_behavior false
use_token_groups false
userattr uid
userdn cn=users,cn=accounts,dc=my,dc=domain,dc=com
When I try to login with vault login -method=ldap username=myuser I get the following message:
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
WARNING! The following warnings were returned from Vault:
* no LDAP groups found in groupDN
'cn=groups,cn=accounts,dc=my,dc=domain,dc=com'; only policies from
locally-defined groups available