LDAP/AD group authorisation issues

[Darren Jackson]

Hello,

Hopefully someone can help me here.

I have setup vault to authenticate via LDAP/AD and was hoping to use groups to then control users access to policies.

In AD I have a Vault.authentication.group that acts as the authentication group into the vault server, and this then has additional groups added into it, Group.policy.1 and Group.policy.2 for example.

First I created a policy, then I added an AD group and associated this policy with it;

vault write auth/ldap/groups/Group.policy.1 policies=policy1

I was now expecting that anyone in the Group.policy.1 group should be able to authenticate into the vault server, but this is not the behavior I am seeing.

I get the following error at this stage:

* user is not member of any authorized group

In order for a user in the Group.policy.1 group to authenticate I have to also associate the user with the group inside vault like so;

vault write auth/ldap/users/userA groups=Group.policy.1

Only then will the user be able to login, the correct policy is associated with the user at this stage.

This adds a massive administration overhead and I cannot believe this is the correct way it should work?

I assumed you should be able to setup vault once and then use AD groups to control user access rather than having to run commands on the vault server itself each time users are added or removed from AD groups.

My question is, is the behavior I am seeing expected?

And if not, how should I be able to get this to work?

Here is my current LDAP config on vault:

url="ldaps://my.ldap.server.com:636" \
userattr=cn \
groupattr=cn \
upndomain="my.ldap.server.com" \
userdn="ou=People,dc=my,dc=ldap,dc=server,dc=com" \
groupdn="cn=Vault.authentication.group,ou=Groups,dc=my,dc=ldap,dc=server,dc=com" \
binddn=admin_user \
bindpass=somepassword \
insecure_tls=false \
starttls=true

I also checked the user in AD and given the result I would have expected the above config to work;

dn: CN=user1,OU=People,DC=my,DC=ldap,DC=server,DC=com

I've tried setting the userattr in the auth/ldap/config to 'sAMAccountName' as suggested in other posts I've found and had no luck.

I am a bit lost for ideas now so any help would be great!

Thanks,

Darren

[Jeff Mitchell]

Hi Darren,

Sorry you're having trouble with this.

You said:

"In AD I have a Vault.authentication.group that acts as the
authentication group into the vault server, and this then has
additional groups added into it, Group.policy.1 and Group.policy.2 for
example."

To me this sounds like you have a group at that DN that you have added
other groups to, but this parameter is not meant to be the DN of a
group itself, but rather the root of a subtree search. The code does
an LDAP search looking for groups rooted at that DN that the user is a
member of (using, currently, memberUid=username, member=userdn, or
uniqueMember=userdn).

I would also suggest checking out the code in
https://github.com/hashicorp/vault/pull/1245 which adds support for
using the memberOf attribute on the user record to find groups in
addition to the subtree search. This is a pretty common thing in AD,
so it may automatically fix your problem without you needing to modify
anything else, and if it does, it'd be a good data point to know.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2c450e17-993e-4f5e-b818-545b9b799024%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Darren Jackson]

Thanks for the quick reply Jeff I will try what you have suggested and report back.

Before I do this however is there a command to see exactly what ldap groups and users are configured already?

I did not build this vault server originally and I would like to see what groups and users are currently setup for access.

I've tried all sorts of combinations to return this data but nothing I try seems for work.

For example none of the following work:

vault read auth/ldap/groups

vault list auth/ldap/groups

vault read auth/ldap/groups/

vault list auth/ldap/groups/

Thanks,

Darren

[Jeff Mitchell]

Hi Darren,

The LDAP backend doesn't currently support listing.

--Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/64c39d02-d624-4f94-bf7b-673494bcdba9%40googlegroups.com.

[Darren Jackson]

Hi Jeff,

I did some testing given your suggestions and here are my results;

1. Remove Vault.authentication.group from the beginning of the groupdn:

url="ldaps://my.ldap.server.com:636" \
userattr=cn \
groupattr=cn \
upndomain="my.ldap.server.com" \
userdn="ou=People,dc=my,dc=ldap,dc=server,dc=com" \

groupdn="ou=Groups,dc=my,dc=ldap,dc=server,dc=com" \
binddn=admin_user \
bindpass=somepassword \
insecure_tls=false \
starttls=true

Result: Error "* user is not member of any authorized group"

2. Remove Vault.authentication.group from the beginning of the groupdn and set userattr to uid:

url="ldaps://my.ldap.server.com:636" \
userattr=uid \

groupattr=cn \
upndomain="my.ldap.server.com" \
userdn="ou=People,dc=my,dc=ldap,dc=server,dc=com" \

groupdn="ou=Groups,dc=my,dc=ldap,dc=server,dc=com" \
binddn=admin_user \
bindpass=somepassword \
insecure_tls=false \
starttls=true

Result: ERROR: "* LDAP search for binddn 0 or not uniq"

3. Remove Vault.authentication.group and Groups from groupdn:

url="ldaps://my.ldap.server.com:636" \
userattr=cn \
groupattr=cn \
upndomain="my.ldap.server.com" \
userdn="ou=People,dc=my,dc=ldap,dc=server,dc=com" \

groupdn="dc=my,dc=ldap,dc=server,dc=com" \
binddn=admin_user \
bindpass=somepassword \
insecure_tls=false \
starttls=true

Result: ERROR "* LDAP search for binddn 0 or not uniq"

4. Remove Vault.authentication.group from the beginning of the groupdn and set userattr to memberOf:

url="ldaps://my.ldap.server.com:636" \
userattr=memberOf \

groupattr=cn \
upndomain="my.ldap.server.com" \
userdn="ou=People,dc=my,dc=ldap,dc=server,dc=com" \

groupdn="ou=Groups,dc=my,dc=ldap,dc=server,dc=com" \
binddn=admin_user \
bindpass=somepassword \
insecure_tls=false \
starttls=true

Result: ERROR "* LDAP search for binddn 0 or not uniq"

5. Remove Vault.authentication.group from the beginning of the groupdn and set userattr to sAMAccountName:

url="ldaps://my.ldap.server.com:636" \
userattr=sAMAccountName \

groupattr=cn \
upndomain="my.ldap.server.com" \
userdn="ou=People,dc=my,dc=ldap,dc=server,dc=com" \

groupdn="ou=Groups,dc=my,dc=ldap,dc=server,dc=com" \
binddn=admin_user \
bindpass=somepassword \
insecure_tls=false \
starttls=true

Result: ERROR "* user is not member of any authorized group"

Sadly no luck.

Admittedly I might have missed your point, but I am not sure what else I can try at the moment.

Thanks,

Darren

[Jeff Mitchell]

Hi Darren,

My comments about the user attribute were just to let you know the
attributes that the code looks for *within a group*. But first Vault
needs to find your groups.

First, that means figuring out the correct groupDN so that the search
finds Group.policy.1. I'd try using ldapsearch to figure out what the
structure of things looks like and what the values should be, as it's
easier to iterate on. Also, you should be able to see the attributes
for your user once you log in -- it'd be good to know if the groups
you want show up as memberOf attributes since that means building with
the code in that PR will Just Work.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/beee66a1-0320-4f3e-91bb-64da29e73cf9%40googlegroups.com.

[Oren Shomron]

Hi everyone,

I just thought I'd not that when I tested AD integration I confirmed that vault *does not* handle nested group membership correctly on AD.

From what I saw in the code, this would require changing builtin/credential/ldap/backend.go to use a query closer to (member:1.2.840.113556.1.4.1941:=<userDnGoesHere>). I was planning on submitting a patch with this change, but if I don't get to it first, here you go.

  - Oren

[Ethan Wolkowicz]

I am running version 0.6.0 and we cannot get groups working either.  Same issue that Darren is having.  I've checked our groups using ldapsearch and they show up fine.  The group has the 'member' attributes for each user that should be allowed to auth, but when you try to auth with Vault, Vault says no groups exist and will only use local policies which require you to manually add each user to a group.  If I manually add a user and add the user to the particular group I can log in fine.  We are not dealing with nested groups.  Just a single group with members.

vault write auth/ldap/groups/group-name policies=root

error message:

* user is not a member of any authorized group; additionally, no LDAP groups found in userDN 'OU=Users,OU=Accounts,DC=ad,DC=org,DC=net' or groupDN 'OU=Groups,DC=ad,DC=org,DC=net';only policies from locally-defined groups available

Here is the config I use (sensitive data removed):

vault write auth/ldap/config url="ldap://fqdn" \

    userattr=uid \

    userdn="OU=Users,OU=Accounts,DC=ad,DC=org,DC=net" \

    groupdn="OU=Groups,DC=ad,DC=org,DC=net" \

    upndomain="fqdn" \

    binddn="CN=ldap-user,OU=Applications,OU=Accounts,DC=ad,DC=org,DC=net" \

    bindpass="***" \

    insecure_tls=false \

    starttls=true

[Jeff Mitchell]

Hi Ethan,

Based on your groupdn it looks like you may be running Active
Directory, which does some very strange group management. You may want
to test out with the PR at
https://github.com/hashicorp/vault/pull/1388 as it's designed to
combat some of the way AD does things.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/8b811638-cc6e-47fd-a9e0-e44680fd4751%40googlegroups.com.

[David Adams]

FWIW, I've been using Active Directory with success after banging my head against the config steps for a long time. I'm sure there are caveats and AD-side config diffs that could break it, but FWIW, I don't specify userattr, groupattr, binddn, or bindpass (though I would expect userattr to be `samAccountName` in AD, rather than `cn`).

My initial setup commands look like:

    vault auth-enable -description "Active Directory Login" ldap

    vault write auth/ldap/config \

        url=ldaps://ad.example.com:636 \

        upndomain=ad.example.com \

        groupdn="DC=ad,DC=example,DC=com" \

        userdn="OU=Users,DC=ad,DC=example,DC=com"

(Yes, the groupdn base search path for groups is not restricted at all--we have groups stored in lots of places, unfortunately.) Anyway, that seems to be sufficient.

-dave

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GGmuEMCBSLQi0tFGztCOs7aMWt4M6atpdK7D6G1dD-s6w%40mail.gmail.com.

[Ethan Wolkowicz]

I tried out David's approach but we require a binddn.  When I was trying that method (not specifying userattr) I would get the following error:

* LDAP search for binddn 0 or not unique

I built vault off of the PR off of https://github.com/shomron/vault/tree/ldap_groupfilter and get the same error.  Using it both as the server and client.  The group I'm trying to auth with is called 'devopssec' which exists as a group with a root policy and I know for sure it exists in active directory under the branch I'm searching and has the right members.  It also fails if I set the groupdn as the parent branch or if I point directly at the group (right now it's 2 levels above to allow for additional groups).  It just doesn't seem to be seeing any groups.

* user is not a member of any authorized group; additionally, no LDAP groups found in userDN 'OU=Users,OU=Accounts,DC=ad,DC=***,DC=***,DC=net' or groupDN 'OU=Groups,DC=ad,DC=***,DC=***,DC=net';only policies from locally-defined groups available

➜  vault git:(ldap_groupfilter) vault read auth/ldap/groups/devopssec
Key         Value
policies    root

What information can I provide to help see what else might be going on?

[Jeff Mitchell]

Hi Ethan,

If you do an ldapsearch with the specified binddn/userdn/groupdn what
values are returned, and with what keys?

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/d29dfb02-fe31-4dc0-a03d-faad8112ee90%40googlegroups.com.

[Ethan Wolkowicz]

I was able to get this resolved with the help of Jeff.

The error was in my config in that I had an incorrect upndomain set and I assumed having a binddn would be the first choice.  Because of this, and it may be helpful to others, if anything is set for a upndomain it will try to use that even if you have a binddn set.  All I had to do was just remove the upndomain completely as it was not needed since I had a binddn and bindpass.  That said, if I had actually set the upndomain to something that worked, it would have worked as well with the username associated with that upndomain.

I also use sAMAccountName in favor of UID since not all users in our org have a UID, but every user has the sAMAccountName set.  (using active directory).

Hope this is helpful to someone out there!

[Ken Veski]

Good morning gentlemen, I am tackling a similar issue.This tread helped me along some, but seems like I need some personalized advice.

I'm trying to get Vault running in a container on Openshift3, that was fairly straightforward. I also get it to authenticate against AD via LDAP, but fail to get groups from AD and thus policy management is a manual pain.

My current setup code is following:

➜  ~ vault write auth/ldap/config \

url="ldaps://dc01.company.com:636,dc02.company.com:636" \

userattr=sAMAccountName \

userdn="OU=COMPANY Users,DC=company,DC=com" \

bindpass="TemporaryPass1" \

binddn="CN=vault integration,OU=System users,OU=COMPANY Users,DC=company,DC=com" \

insecure_tls=false \

starttls=true \

groupdn="memberOf=CN=unit_cloud_engineering,OU=Technology,OU=COMPANY Groups,DC=company,DC=com"

Success! Data written to: auth/ldap/config

This gives me the error:

➜  ~ vault auth -method=ldap username=first.lastname          

Password (will be hidden): 

Error making API request.

URL: PUT http://vault-test.os3.company.com/v1/auth/ldap/login/first.lastname

Code: 400. Errors:

* LDAP search failed: LDAP Result Code 34 "Invalid DN Syntax": 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8349, best match of:

'memberOf=CN=unit_cloud_engineering,OU=Technology,OU=COMPANY Groups,DC=company,DC=com'

What should I try?

Cheers,

Ken

[Brian Kassouf]

Hi Ken,

The search in vault uses the same format as the ldapsearch command line tool, we usually recommend using that tool to find the correct search parameters and then configuring Vault with the search term.

Best,

Brian 

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/fca42760-3480-4449-a8a4-25f68570f836%40googlegroups.com.

[Ken Veski]

I get ldapsearch to work, example: 

ldapsearch -LL -H ldaps://dc01.company.com:636 -b "ou=COMPANY Users,dc=company,DC=com" -D "CN=vault integration,OU=System users,OU=COMPANY Users,DC=company,DC=com" -w "TemporaryPass1" "(sAMAccountName=user.name)"

I can also get out all users in group with query part 

"(&(memberOf=CN=unit_cloud_engineering,OU=Technology,OU=COMPANY Groups,DC=company,DC=com))"

But struggling with how to get the groups of a single user. Groups are defined as memberOf, but that gives me all members of a group, instead of group members.

[Craig Sawyer]

Ken,

This is what we use for AD and vault integration for groups:

groupattr="cn"
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"

groupdn="ou=Groups, dc=example, dc=org"

I'm only showing the group related config options for vault.  Hopefully it will help you.