Re: [vault] Setting up LDAP?
2,103 views
Skip to first unread message
Chris Hoffman
Aug 17, 2018, 9:26:37 AM8/17/18
to Vault
Can you provide your server logs and the rest of the error when you run "vault auth-enable -tls-skip-verify ldap”? It looks like the rest of the error may be cut off.
Thanks,
Chris
On Aug 17, 2018, 9:23 AM -0400, julia...@gmail.com, wrote:
Vault 0.10.2--Trying to set up ldap user authentication to use FreeIPA and can't even get started.Tried an initial config via the Gui but once saved, it cannot be deleted, edited or even viewed in the Gui. Disable also seems to have no effect. (Very frustrating). I assume this is simplySo switched to command line and tried to follow the official doc https://www.vaultproject.io/docs/auth/ldap.html and then https://shapeshed.com/hashicorp-vault-ldap/.But can't even get started.vault auth-enable -tls-skip-verify ldapWARNING! The "vault auth-enable" command is deprecated. Please use "vault authenable" instead. This command will be removed in Vault 0.11 (or later).Error enabling ldap auth: Error making API request.URL: POST https://127.0.0.1:8200/v1/sys/auth/ldapCode: 400. Errors:Presumably this means it's already there following the above?So I tried to overwrite with a new dummy config.[ec2-user@ip-10-10-20-215 ~]$ vault write -tls-skip-verify auth/ldap/config \> url="ldaps://ldap01.foo.net" \> binddn="cn=readonly,dc=foo,dc=net" \> bindpass="098765432" \> userdn="ou=people,dc=foo,dc=net" \> userattr="uid" \> groupdn="ou=group,dc=foo,dc=net" \> groupattr="cn" \> insecure_tls=falseError writing data to auth/ldap/config: Error making API request.Code: 404. Errors:* no handler for route 'auth/ldap/config'Which implies it isn't.As I can't enable, disable or write any config, how can I set it up?Is my Vault install broken and how can I fix it?Additionally, (if I ever get that far) my Freeipa is SSLd on a self signed cert. I have the public pem file which I've used successfully elsewhere but the docs say, to reference the cert in the config, you use a line likecertificate = @ldap_cert.pemThere is however, no mention of where it will look to pick up that file - is it just the pwd?
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d8e8ff0a-ff09-46a4-b362-ca53d061d6a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
julia...@gmail.com
Aug 17, 2018, 9:28:10 AM8/17/18
to Vault
Thanks Chris,
You're right, I was trying to edit my post but seems to be no option.
vault auth enable -tls-skip-verify ldap
Error enabling ldap auth: Error making API request.
URL: POST https://127.0.0.1:8200/v1/sys/auth/ldap
Code: 400. Errors:
* path is already in use
julia...@gmail.com
Aug 17, 2018, 9:29:38 AM8/17/18
to Vault
Vault 0.10.2
Trying to set up ldap user authentication to use FreeIPA and can't even get started.
Tried an initial config via the Gui but once saved, it cannot be deleted, edited or even viewed in the Gui. Disable also seems to have no effect. (Very frustrating). I assume this is simply
So switched to command line and tried to follow the official doc https://www.vaultproject.io/docs/auth/ldap.html and then https://shapeshed.com/hashicorp-vault-ldap/.
But can't even get started.
vault auth enable -tls-skip-verify ldap
Error enabling ldap auth: Error making API request.
URL: POST https://127.0.0.1:8200/v1/sys/auth/ldap
Code: 400. Errors:
* path is already in use
Presumably this means it's already there following the above?
So I tried to overwrite with a new dummy config.
[ec2-user@ip-10-10-20-215 ~]$ vault write -tls-skip-verify auth/ldap/config \
> url="ldaps://ldap01.foo.net" \
> binddn="cn=readonly,dc=foo,dc=net" \
> bindpass="098765432" \
> userdn="ou=people,dc=foo,dc=net" \
> userattr="uid" \
> groupdn="ou=group,dc=foo,dc=net" \
> groupattr="cn" \
> insecure_tls=false
Error writing data to auth/ldap/config: Error making API request.
Code: 404. Errors:
* no handler for route 'auth/ldap/config'
Which implies it isn't.
As I can't enable, disable or write any config, how can I set it up?
Is my Vault install broken and how can I fix it?
Additionally, (if I ever get that far) my Freeipa is SSLd on a self signed cert. I have the public pem file which I've used successfully elsewhere but the docs say, to reference the cert in the config, you use a line like
certificate = @ldap_cert.pem
There is however, no mention of where it will look to pick up that file - is it just the pwd?
Chris Hoffman
Aug 17, 2018, 9:34:16 AM8/17/18
to Vault
What is the output to `vault auth list`? Also, are you able to run `vault auth disable ldap` and try again? If neither of these give the answers, you could also try and mount ldap at a different path with this command `vault auth enable -path=ldap2/ ldap`.
Chris
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c3f6d199-396d-467d-bbca-7958d3d79665%40googlegroups.com.
julia...@gmail.com
Aug 17, 2018, 9:43:44 AM8/17/18
to Vault
vault auth -tls-skip-verify list
WARNING! The "vault auth ARG" command is deprecated and is now a subcommand
for interacting with auth methods. To authenticate locally to Vault, use
"vault login" instead. This backwards compatibility will be removed in Vault
0.11 (or later).
Error authenticating: error looking up token: Error making API request.
Code: 403. Errors:
* permission denied
Which I don't understand as I'm authenticated using the root token and can access all the secrets.
Tried the disable but get
[ec2-user@ip-10-10-20-215 ~]$ vault auth -tls-skip-verify disable ldap
WARNING! The "vault auth ARG" command is deprecated and is now a subcommand
for interacting with auth methods. To authenticate locally to Vault, use
"vault login" instead. This backwards compatibility will be removed in Vault
0.11 (or later).
Error parsing configuration: invalid key/value pair "ldap": format must be key=value
and similarly
[ec2-user@ip-10-10-20-215 ~]$ vault auth -tls-skip-verify enable -path=ldap2 ldap
WARNING! The "vault auth ARG" command is deprecated and is now a subcommand
for interacting with auth methods. To authenticate locally to Vault, use
"vault login" instead. This backwards compatibility will be removed in Vault
0.11 (or later).
Error parsing configuration: invalid key/value pair "ldap": format must be key=value
Chris Hoffman
Aug 17, 2018, 10:25:05 AM8/17/18
to Vault
Can you provide the output of `vault --version`, `vault status`, and `vault token lookup`? Also, is anything showing up in your server logs for vault?
Thanks,
Chris
julia...@gmail.com
Aug 17, 2018, 10:58:04 AM8/17/18
to Vault
Thanks for your help Chris,
[ec2-user@ip-10-10-20-215 ~]$ vault --version
Vault v0.10.2 ('3ee0802ed08cb7f4046c2151ec4671a076b76166')
[ec2-user@ip-10-10-20-215 ~]$ vault status -tls-skip-verify
Key Value
--- -----
Seal Type shamir
Sealed false
Total Shares 5
Threshold 3
Version 0.10.2
Cluster Name vault-cluster-681b1998
Cluster ID 4cfcaafd-d935-751d-4a21-3708c5b586fa
HA Enabled false
[ec2-user@ip-10-10-20-215 ~]$ vault token lookup -tls-skip-verify
Key Value
--- -----
accessor 062ce5ba-c159-2194-89eb-c46ddf0c9897
creation_time 1521015765
creation_ttl 0
display_name root
entity_id n/a
expire_time <nil>
explicit_max_ttl 0
id aad2a96c-96b1-4379-1b1e-936bb12484a8
meta <nil>
num_uses 0
orphan true
path auth/token/root
policies [root]
ttl 0
There's nothing of interest in /var/log/messages other than a repeat of the error messages I see on the screen.
I've been unable to track down any other log files or find any documentation that references any so assume everything goes to the messages file. If there is another log file, please let me know and I'll post the contents.
Chris Hoffman
Aug 17, 2018, 11:06:11 AM8/17/18
to Vault
Where is your vault server running, i.e. what is the value of VAULT_ADDR? That server should have logs (upgrade to TRACE logs if you can) for the vault process that is handling the requests from the CLI. That may have the key to the issue you are having. The permissioned denied error is odd and the ldap behavior adds to this oddness.
Thanks,
Chris
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d10202b9-e80b-43fe-b778-89be399d8070%40googlegroups.com.
julia...@gmail.com
Aug 17, 2018, 12:39:40 PM8/17/18
to Vault
Sorry for the delay - To enable logging I was going to have to bounce vault and it's used by our Devs for various things.
So I took the decision to build a second setup to avoid adding spurious entries or impacting the active one.
Also gave me the chance to start fresh in case there was something odd with our build.
During the build I had to run the usual unseal commands etc and hit odd issues that led me to revisit all my command structures.
I think I've made some progress. It appears a lot of the issues are down to misleading error messages rather than anything fundamentally wrong.
vault auth -tls-skip-verify list
does return
Error authenticating: error looking up token: Error making API request.
Code: 403. Errors:
* permission denied
But
vault auth list -tls-skip-verify
returns
Path Type Accessor Description
---- ---- -------- -----------
token/ token auth_token_713b7739 token based credentials
userpass/ userpass auth_userpass_46291caa n/a
(Note no LDAP)
So in the same vein, I messed around with the parameter order for enable and disable and discovered
vault auth-enable -tls-skip-verify ldap
worked
so I now have
Path Type Accessor Description
---- ---- -------- -----------
ldap/ ldap auth_ldap_0daefa01 n/a
token/ token auth_token_713b7739 token based credentials
userpass/ userpass auth_userpass_46291caa n/a
and
my write to auth/ldap/config is working now.
I can't see any pattern to how these commands operate with the -tls-skip-verify (Though there presumably is one) but at least I have some working commands now. I've tested them in the dev stack where I was having issues and have been able to set and read back ldap config.
Thanks for your help & quick responses - greatly appreciated.
I'll now work on getting the correct ldap config.....
Chris Hoffman
Aug 17, 2018, 12:43:25 PM8/17/18
to Vault
Cool, glad you figured it out. I had a fleeting thought about that at one point but didn’t remember to try it out. Thanks for the followup.
Chris
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/45a3c0a0-e2b4-4ec0-bfda-7587243f295c%40googlegroups.com.
Andrew Meyer
Aug 22, 2018, 3:17:56 PM8/22/18
to Vault
What did you use for your group filter?
Peter Sutty
Aug 23, 2018, 2:20:24 AM8/23/18
to vault...@googlegroups.com
vault read auth/ldap/config ?
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9ff7724c-0fce-4dd9-9051-1faeb1623d0e%40googlegroups.com.
julia...@gmail.com
Aug 23, 2018, 3:05:58 AM8/23/18
to Vault
Using FreeIPA out of the box (with nothing clever done to the structure), my config is
vault write -tls-skip-verify auth/ldap/config \
url="ldaps://ldap.foo.com" \
userattr="uid" \
userdn="cn=users,cn=accounts,dc=foo,dc=com" \
discoverdn=true \
groupdn="cn=groups,cn=compat,dc=foo,dc=com" \
certificate=@ldap_cert.pem \
insecure_tls=false \
starttls=true
Much to my surprise, I didn't need anything else. Logins and Group matching work fine.
julia...@gmail.com
Aug 23, 2018, 4:25:13 AM8/23/18
to Vault
I should add, querying back the setup, it shows the default group filter as
groupfilter (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
Reply all
Reply to author
Forward
0 new messages