Question about secret engine AD

Hi community

using vault server 1.13.2

How can I do force logout from remote desktop using secret engine AD after credentials secrets are revoked?

in case for secret engine for mssql and mysql I do kill session using revocation_statements.

for secret engine Active Directory exist something similar to send some powershell command to force logout?

You can’t.

The AD secrets engine just provides access to an AD password.

What a user connects to using that password is totally outside of the secrets engine’s control.

The AD secrets engine is also deprecated, and will be removed from Vault in a future version - it has been replaced by an LDAP secrets engine that is capable of interacting with multiple brands of LDAP server.

Hi @maxb

thanks for reply,

I do test using same data for secret engine AD and LDAP but in AD works fine
but in LDAP can’t write library, any idea could be?

using AD

vault secrets enable ad
Success! Data written

vault write ad/config binddn='CN=vaultuser,OU=Users,DC=domain,DC=local' bindpass='mypassword' \
  url=ldaps://dc1.domain.local:636 userdn='dc=domain,dc=local' insecure_tls=true

Success! Data written

vault write ad/library/team1 service_account_names="adminslot1@domain.local,adminslot2@domain.local" ttl=30 max_ttl=60
Success! Data written

Using LDAP

vault secrets enable ldap
Success! Data written

vault write ldap/config binddn='CN=vaultuser,OU=Users,DC=domain,DC=local' bindpass='mypassword' \
  url=ldaps://dc1.domain.local:636 userdn='dc=domain,dc=local' insecure_tls=true schema=ad

Success! Data written

vault write ldap/library/team1 service_account_names="adminslot1@domain.local,adminslot2@domain.local" ttl=30 max_ttl=60

Error writing data to ldap/library/team1 : Error making API request.

URL: PUT https://vault.domain.local/v1/ldap/library/team1
Code: 500. Errors:

1 error occurred:*
expected one matching entry, but received 0*

No idea, sorry - I no longer work at a company that uses AD.