Hi community
using vault server 1.13.2
How can I do force logout from remote desktop using secret engine AD after credentials secrets are revoked?
in case for secret engine for mssql and mysql I do kill session using revocation_statements.
for secret engine Active Directory exist something similar to send some powershell command to force logout?
maxb
May 29, 2023, 3:14pm
2
You can’t.
The AD secrets engine just provides access to an AD password.
What a user connects to using that password is totally outside of the secrets engine’s control.
The AD secrets engine is also deprecated, and will be removed from Vault in a future version - it has been replaced by an LDAP secrets engine that is capable of interacting with multiple brands of LDAP server.
Hi @maxb
thanks for reply,
I do test using same data for secret engine AD and LDAP but in AD works fine
but in LDAP can’t write library, any idea could be?
using AD
vault secrets enable ad
Success! Data written
vault write ad/config binddn='CN=vaultuser,OU=Users,DC=domain,DC=local' bindpass='mypassword' \
url=ldaps://dc1.domain.local:636 userdn='dc=domain,dc=local' insecure_tls=true
Success! Data written
vault write ad/library/team1 service_account_names="adminslot1@domain.local,adminslot2@domain.local" ttl=30 max_ttl=60
Success! Data written
Using LDAP
vault secrets enable ldap
Success! Data written
vault write ldap/config binddn='CN=vaultuser,OU=Users,DC=domain,DC=local' bindpass='mypassword' \
url=ldaps://dc1.domain.local:636 userdn='dc=domain,dc=local' insecure_tls=true schema=ad
Success! Data written
vault write ldap/library/team1 service_account_names="adminslot1@domain.local,adminslot2@domain.local" ttl=30 max_ttl=60
Error writing data to ldap/library/team1 : Error making API request.
URL: PUT https://vault.domain.local/v1/ldap/library/team1
Code: 500. Errors:
1 error occurred:*
expected one matching entry, but received 0*
maxb
May 30, 2023, 11:28am
4
No idea, sorry - I no longer work at a company that uses AD.