Openldap group filter

Hi!

I have openldap with memberOf

I have some groups (groupOfNames)

ou=groups,dc=org,dc=local
test
wifi
lan
vault

and some users

ou=people,dc=org,dc=local
johndoe

User “johndoe” member of “vault” group

I want to restrict login to hashicorp vault only from “vault” group

vault write auth/ldap/config \
    url="ldap://ldap.some.org.ru" \
    binddn="cn=admin,dc=org,dc=local" \
    bindpass="password" \
    userattr="uid" \
    groupdn="ou=groups,dc=org,dc=local" \
    groupfilter="(&(objectClass=groupOfNames)(cn=vault,ou=groups,dc=org,dc=local))" \
    groupattr="memberOf" \

But it’s don’t work

Can anyone help me with right filter?

Here is what I have used (from the terraform resource)
url = “ldap://:389”
deny_null_bind = true
userattr = “samaccountName”
upndomain = “”
discoverdn = false
binddn = “CN=vault_svc,”
userdn = “OU=<user directory, full DN>”
bindpass = “<vault_svc password>”
groupfilter = “(&(objectClass=person)(sAMAccountName={{.Username}}))”
groupattr = “memberOf”
groupdn = “OU=”

after this was linked I created a LDAP auth backend group (that was what the groupdn searches under I believe.
I set the Ldap groupname and then assigned policies. That allowed the LDAP group token whatever policies you wish.

Does that help?

Hi! Thank you for the answer, but your filter don’t help with restrict able to login users to vault from different groups

I found same problem on https://stackoverflow.com/questions/58017376/how-to-configure-hashicorp-vault-v1-2-3-to-restrict-login-based-on-membership-in/62261486#62261486

Why developers vault can’t help?)

Hi inkdude,

I think I found the solution, I added the userfilter in the auth/ldap/config and configured it like this :
userfilter=“(&(objectClass=user)({{.UserAttr}}={{.Username}})(memberOf=cn=MySelectedGroup,cn=Users,dc=test,dc=com))”

So change the “memberOf=” at the end so that it matches your ldap group.

Have a nice day