Requesting some help with LDAP authentication

[mlap...@newrelic.com]

Hello fellow Vault users. I'm working on getting our staging Vault cluster setup to use LDAP authentication. We're running OpenLDAP with TLS enabled. I'm using a system read-only account within LDAP to bind to LDAP and perform checks. The LDAP configuration I've got looks like the following:

url="ldaps://<LDAP URL>" \

binddn="<system account user>" \

bindpass='<password>' \

userdn="ou=People,dc=<domain>,dc=<tld>" \

userattr=cn \

groupdn="cn=vault_users,ou=Groups,dc=<domain>,dc=<tld>" \

groupfilter="(&(objectClass=inetOrgPerson)(cn={{.Username}}))" \

groupattr="cn" \

certificate=<ca-bundle-file> \

insecure_tls=false

Within LDAP we have a structure that looks like:

<FQDN of Domain>:

- OU of People (contains a list of all users in LDAP)

-- CN of user object is what is being used to authenticate

- OU of Groups (all the various groups)

-- CN of vault_users (group that signifies the ability to access Vault and mapped to a policy)

Several user objects are members of the vault_users group, myself included.

When I attempt to log into Vault using LDAP credentials, I receive an error 32 - object not found. It appears to be binding correctly to LDAP (e.g. not an incorrect port as specified in a previous post) because when I change the bindpass to gibberish, I get an error 49 - incorrect credentials.

I suspect that the error lies in the group filter / group attr setup, but I'm not sure how to troubleshoot this. Using Apache Directory Studio, I can validate all the userdn / groupdn config is correct. The Vault logs don't offer much help. 

The configuration I'm hoping to acheive is to login with a username/password, which belongs to a user in LDAP, and only allow access if they belong to the vault_users group. Does the config I listed above match my goal?

Thanks,

Matthew

[mlap...@newrelic.com]

A little further info. I updated the ldap config to *not* specify a groupfilter, there by using the default. I take the rendered query from the vault debug logs and run that on the groupdn using Apache Directory Studio. The LDAP group I'm trying to use to control access to Vault is returned from the search. According to the doc, if the GroupFilter turns a group (which is does), to use the cn attribute (which I am). 

So the correct group is returned from the filter and I have that group mapped to the root policy (overprivileged I know, but this is a test instance and the only policy that exists). However, when logging in using LDAP I still receive the error "Code 32 No Such Object".

I also tried manually adding my user to the group under auth/ldap/groups/vault_users, but this leads to the same result. 

Running short on ideas of how to fix this. Any suggestions?

Thanks,

Matthew

[David Adams]

Not sure if this is it, but the groupdn is supposed to be the dn of the search base for group names, not the group dn itself. So I think you probably want `groupdn=ou=Groups,dc=<domain>,dc=<tld>`.

I'm not sure what you mean by "adding my user to the group under auth/ldap/groups/vault_users". The only thing you configure under auth/ldap/groups/<group-name> are the policies to map to <group-name>. If you do want to grant further groups to a user (or establish groups that aren't in the LDAP server) you write those to the auth/ldap/users/<username> path:

    vault write auth/ldap/users/myuser groups=vault_users,othergroup

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d0135371-d49a-41d5-a651-165f24a8d180%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[mlap...@newrelic.com]

Hi David,

You're correct, I mis-read the docs on the groupdn. I updated the config to use the correct search base, alas the result is the same "Code 32 No Such Object". 

When I mentioned adding the user manually to the group, it was exactly as you suggestions, writing that to the auth/ldap/user/<username> group=<groups>.

Thanks for the tip re groupdn!

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[mlap...@newrelic.com]

This appeared to be caused by a replication issue between master & slave nodes of our LDAP setup. Pointing to a different node addressed the issue.

Thanks,
Matthew