LDAP authentication with UID
298 views
Skip to first unread message
Roy Avrahamy
Dec 6, 2016, 12:42:57 PM12/6/16
to Vault
Hi,
I'm trying to perform LDAP authentication with vault.
After a lot of trying, I was able to authenticate, but only with the full name in LDAP.
For example - I want to authenticate with the username "jmax" instead of "John Max".
For some reason, I can't.
I tried to configure the file like this:
vault write auth/ldap/config url="ldap://ldap.example.com" \
userdn="ou=People,dc=example,dc=com" \
groupdn="ou=Group,dc=example,dc=com" \
groupfilter="(|(objectClass=exampleGroup)(memberUid={{.Username}}))" \
groupattr="cn" \
userattr="cn"
I tried to change the userattr to "uid" with no success...
What am I missing?
Thanks in advance,
Roy
Craig Sawyer
Dec 6, 2016, 12:52:46 PM12/6/16
to Vault
You don't specify what your LDAP server is, but you need to set userattr to whatever the username is, in your particular LDAP system.
for Active Directory, this will likely work:
userattr=sAMAccountName
Best bet is to go look at your LDAP entry using an ldap browser, admin tool, etc, and find out what entry has the username field, and then use that for userattr= setting in vault.
Hope This Helps,
-Craig
for Active Directory, this will likely work:
userattr=sAMAccountName
Best bet is to go look at your LDAP entry using an ldap browser, admin tool, etc, and find out what entry has the username field, and then use that for userattr= setting in vault.
Hope This Helps,
-Craig
Roy Avrahamy
Dec 7, 2016, 9:06:10 AM12/7/16
to Vault
Thanks for your answer.
The server is not AD, just LDAP.
The short name (username) in the LDAP is called "uid", and I already tried to enter it in the userattr field and it keeps telling me for "Invalid Credentials", I don't understand why it is not working.
It only works when I enter "cn" (which is the full name) in userattr and fill the full name.
Any ideas?
Craig Sawyer
Dec 7, 2016, 2:16:03 PM12/7/16
to Vault
I don't have any great insight here. I'd try setting vault to lots of debug in it's logs, and then try authenticating, alternatively you might try capturing the ldap traffic and what the LDAP server is saying in it's logs.
Can you verify that other tools can auth against your LDAP with uid?
Sorry I can't really be of more help here, I'm not a huge LDAP person.
Can you verify that other tools can auth against your LDAP with uid?
Sorry I can't really be of more help here, I'm not a huge LDAP person.
Roy Avrahamy
Dec 21, 2016, 12:07:41 PM12/21/16
to Vault
Hi All,
I figured it up.
the discoverdn attribute was supposed to be set to true:
discoverdn="true"
That's all. Then I configured the userattr to uid and it worked.
Thanks for the help!
Roy
Reply all
Reply to author
Forward
0 new messages