Securing LDAP token login over SSL (LDAPS)

Hey everyone,
I’m looking for a way how to secure LDAP login over SSL (LDAPS) for Vault application. Standard login via LDAP token is up and running, but I’m not sure what kind of certificate I need and mostly how to even recognize it is working or not.

Current setup is that Vault application is running on Ubuntu 20.04.6 and LDAP is running on Windows Server 2022 (this server is both DC and CA, I know about security risks but it is a small and isolated environment).
In Vault GUI there is a “LDAP Options” section where I can upload certificates, but I’m not sure how the certificate should look like.
“Certificate” is CA certificate so that is the one I can basically just take from the CA server (for example from certlm.msc or web enrollment) and just upload it. And now, do I also need “client certificate” and “client key”? If yes, how can I enroll them? Is there a way how to generate CSR from the vault or can I just create new certificate directly on the CA, put there CN=vaultserver fqdn and export it? And do I need it to split between certificate and client key would be private key without password? And lastly, how do I know it is working? Because from current setup I’m able to upload any certificate, GUI just says ok but that’s all, nowhere I can see any difference.

Thank you very much for any input and apologies for noob question, both Vault and CA is new for me.

“LDAP token” ? Did you use the wrong word there?

Just a FYI, that’s already over half way through its standard support period.

This may not be needed at all, as if your internal CA has been added to the default system-wide trusted CAs on your Ubuntu hosts, that is enough.

All of this is only for TLS with client authentication via certificate. If you don’t know you want this already, then you probably don’t want it.

You try to log in to Vault using LDAP credentials, and see whether it works or not. If it doesn’t work, you consult the error messages and Vault server logging.

It is difficult - how to configure TLS successfully is often treated as assumed knowledge, and various product documentation tends to only give you the relevant fields to fill in, assuming you already know the context behind the overall operation of TLS.

Hi, thank you very much for your input. Yes apologies, naming should have been only “LDAP” without token.
So if I understand it correctly, it does not matter if I add my internal CA certificate to the default system-wide trusted CAs directly on Ubuntu or upload the same certificate into the Vault - Configure LDAP - Certificate? Both should do the job? No other certificate is needed?
About client certificate - ok let’s skip this one.
I just need to log into the Vault app via active directory credentials- which is currently working (if I choose LDAP during sign in to Vault), but I wasn’t sure if after uploading the certificate it is now secured communication (LDAPS) or not.


To turn on LDAPS you have to update the URL scheme from ldap:// to ldaps://.

Wow this was easier that I thought is going to be :slight_smile: Thank your very much for this, looks like it’s working flawlessly!