Accessing AD server through LDAP Auth backend
1,508 views
Skip to first unread message
Clay Bowen
Aug 5, 2015, 12:06:01 PM8/5/15
to Vault
I don't see a way to provide credentials to the LDAP server (in the ldap configuration section) -- my AD server requires it. Without providing it, I can't bind to the LDAP server. Here's the response I get without it:
* LDAP bind failed: LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
I'm probably missing something easy.
Thanks,
Clay
Armon Dadgar
Aug 5, 2015, 2:47:27 PM8/5/15
to Clay Bowen, vault...@googlegroups.com
Clay,
I think there is a bigger challenge with LDAP an active directory currently. I believe that the
LDAP seach/bind strings are not correct for AD integration, and there is a discussion going on:
I’m not an LDAP expert, but it’s clear we need to change how we search/bind so that we can
support AD and OpenLDAP deploys in a more flexible and generic way.
Best Regards,
Armon Dadgar
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3dbf270c-ec8b-4748-ab6a-6a7b5d7e620f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Clay Bowen
Aug 5, 2015, 3:52:53 PM8/5/15
to Vault
Hey Armon, I didn't see any documentation (even the internal path-help doc) on the BindDN config parameter. This looks like what I'd need. I'm not sure how to use it, though - can you provide an example of the vault write auth/ldap/config command which includes the BindDN user and password?
Thanks,
Clay
Armon Dadgar
Aug 5, 2015, 5:42:17 PM8/5/15
to Clay Bowen, vault...@googlegroups.com
Hey Clay,
We have not yet merged in the PR that adds the BindDN, my problem is I don’t
understand LDAP well enough to re-architect the auth backend. We keep adding
small changes to the LDAP backend to fix particular use cases, but it seems clear
we need to rethink it in a more general and flexible way.
Best Regards,
Armon Dadgar
From: Clay Bowen <on.rode...@gmail.com>
Reply: vault...@googlegroups.com <vault...@googlegroups.com>>
Date: August 5, 2015 at 12:52:55 PM
To: Vault <vault...@googlegroups.com>>
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/010da6a7-5b23-4fa1-bc12-2a4f205c2021%40googlegroups.com.
Lloyd Bowen
Aug 5, 2015, 6:12:42 PM8/5/15
to Armon Dadgar, vault...@googlegroups.com
Ok, I understand. I'm not a big LDAP person myself - books more than 5 inches thick make me nervous...
Clay
Sent from my iPad
Sent from my iPad
Will Stevens
Oct 2, 2015, 11:33:05 AM10/2/15
to Vault, on.rode...@gmail.com
Do we have a timeframe for this? Active Directory is the main use case for the LDAP authentication mechanism and it from what I can tell it is currently unusable.
Thanks,
Will
Jeff Mitchell
Oct 2, 2015, 11:49:38 AM10/2/15
to vault...@googlegroups.com, Clay Bowen
It's currently planned for 0.4.
There are some people using it with AD, it just doesn't currently work
for all people. At the moment, people seem to be using it just fine
with local patches, however.
--Jeff
> https://groups.google.com/d/msgid/vault-tool/5a489cff-0447-4aa5-ba66-45a9d4e910d2%40googlegroups.com.
There are some people using it with AD, it just doesn't currently work
for all people. At the moment, people seem to be using it just fine
with local patches, however.
--Jeff
Clay Bowen
Oct 2, 2015, 12:08:38 PM10/2/15
to Vault, on.rode...@gmail.com
I managed to get mine working on the main branch WITHOUT a
bind user. Note that I couldn't get this working WITHOUT using ldaps
and specifying a port (I got the bind error). Here's the config I used
(some sensitive data has been removed):
vault write auth/ldap/config url="ldaps://<server>:636" upndomain="<company>.com" userattr=sAMAccountName userdn="OU=End User Accounts,OU=Corporate Users,DC=<city>,DC=<company>,DC=com" groupdn="OU=Groups,DC=<city>,DC=<company>,DC=com" insecure_tls=true starttls=true
vault write auth/ldap/groups/"Developer Productivity Team" policies=scripts,root
I can now log in using LDAP against my AD with:vault write auth/ldap/config url="ldaps://<server>:636" upndomain="<company>.com" userattr=sAMAccountName userdn="OU=End User Accounts,OU=Corporate Users,DC=<city>,DC=<company>,DC=com" groupdn="OU=Groups,DC=<city>,DC=<company>,DC=com" insecure_tls=true starttls=true
vault write auth/ldap/groups/"Developer Productivity Team" policies=scripts,root
vault auth -method=ldap username=<username>
Password (will be hidden):
Successfully authenticated!
The policies that are associated with this token
arelisted below:
root, scripts
justin...@nike.com
Nov 2, 2015, 6:43:39 PM11/2/15
to Vault, on.rode...@gmail.com
Hello All,
and I get the following message
However when I run
I am have been hitting my head against the AD / LDAP auth backend wall all day today and I am trying to figure out what is missing in the my configuration.
I am running the following command
url="ldaps://ldap.acme.com:636" \
upndomain="acme.com" \
userattr=sAMAccountName \
userdn="OU=All Users,DC=ad,DC=acme,DC=com" \
groupdn="OU=Lists,DC=ad,DC=acme,DC=com" \
insecure_tls=true \
starttls=true
Success! Data written to: auth/ldap/configvault auth -method=ldap username=acmeUser1==> WARNING: VAULT_TOKEN environment variable set!
The environment variable takes precedence over the value set by the auth command. Either update the value of the environment variable or unset it to use the new token.
Password (will be hidden): Error making API request.
URL: PUT http://vault.acme.com:8200/v1/auth/ldap/login/acmeUser1Code: 400. Errors:
* LDAP bind failed: LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1I am not sure how best to proceed as I am a complete ldap / ad newbie and any suggestions would be appreciated.
Justin
justin...@nike.com
Nov 4, 2015, 1:25:46 AM11/4/15
to Vault, on.rode...@gmail.com
I got a go environment going today and learned enough about go to modify the LDAP Backend enough to get my use case working and conclude that I probably need to wait for https://github.com/hashicorp/vault/issues/546 to be resolved.
Cheers,
Justin
Reply all
Reply to author
Forward
0 new messages