LDAP Configuration Help

[Angelo San Ramon]

Hello,

I am new to Vault and I am trying to configure it to bind to our LDAP. However, I keep getting the following error message: 

> vault auth -method=ldap username=user1

Password (will be hidden): 

Error making API request.

URL: PUT http://172.17.2.40:8200/v1/auth/ldap/login/user1

Code: 400. Errors:

* user is not a member of any authorized group; additionally, no LDAP groups found in groupDN 'ou=groups,o=example.com,o=email'; only policies from locally-defined groups available

Can someone please advise me on the proper LDAP parameters I should set the following to?

Key         Value

---             -----

binddn         

bindpass       

certificate    

discoverdn      true

groupattr       uniqueMember

groupdn         ou=groups,o=apple.com,o=email

groupfilter     (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember=uid={{.Username}},{{.UserDN}}))

insecure_tls    false

starttls        true

tls_min_version tls12

upndomain      

url             ldap://corpds.apple.com

userattr        uid

userdn          ou=people,o=apple.com,o=email

Our LDAP Groups and Users attributes are as follow:

Group Attributes

----------------

dn: cn=vault_users,ou=groups,o=example.com,o=email

uniqueMember: uid=user1,ou=people,o=example.com,o=email

uniqueMember: uid=user2,ou=people,o=example.com,o=email

objectClass: ipUser

objectClass: posixGroup

objectClass: groupOfUniqueNames

objectClass: top

objectClass: inetMailGroup

objectClass: some-group

objectClass: inetLocalMailRecipient

objectClass: inetSubscriber

mail: vault...@group.example.com

cn: vault_users

description: Access group for Vault

owner: cn=vault_users,ou=groups,o=example.com,o=email

mgrpErrorsTo: us...@example.com

gidNumber: 745432

inetSubscriberAccountId: 345098

User Attributes

---------------

dn: uid=user1,ou=people,o=example.com,o=email

mobile: +1-456-1234567

ou: My Group Name

manager: uid=mymanager,ou=people,o=example.com,o=email

departmentNumber: 0056/0927

cn: Firstname Lastname

dataSource: Directory Services Provisioning System

mail: us...@example.com

homeDirectory: /home/user1

loginShell: /bin/bash

uidNumber: 5623456789

gidNumber: 23456

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: inetUser

objectClass: ipUser

objectClass: inetMailUser

objectClass: sunPresenceUser

objectClass: sunIMUser

objectClass: posixAccount

objectClass: shadowAccount

objectClass: inetLocalMailRecipient

objectClass: userPresenceProfile

objectClass: icsCalendarUser

objectClass: ldapPublicKey

altSecurityIdentities: user1

uid: user1

employeeType: D

inetUserStatus: active

sn: Lastname

destinationIndicator: SCV

givenName: Firstname

mailUserStatus: active

description: AP-ZZZZ-5500-MASTE-DEFAU-DFLT-oshkosh-1-7_26_16

employeeNumber: 3493450950

Thank you for the assistance

[Angelo San Ramon]

I changed the config to groupfilter="(&(uniqueMember=uid={{.Username}},ou=people,o=example.com,o=email))". I can authenticate now, but it looks like it's not recognizing the group for the user. I get the following:

>vault auth -method=ldap username=user1

Password (will be hidden): 

Error making API request.

URL: PUT http://172.17.2.40:8200/v1/auth/ldap/login/user1

Code: 400. Errors:

* user is not a member of any authorized group

Thanks

[Angelo San Ramon]

Got it figured out. In case anyone trying to figure out the same thing:

>vault read auth/ldap/config

Key             Value

---             -----

binddn        

bindpass      

certificate    

discoverdn     true

groupattr       cn

groupdn         cn=vault_users,ou=groups,o=example.com,o=email

groupfilter     (&(uniqueMember=uid={{.Username}},ou=people,o=example.com,o=email))

insecure_tls   false

starttls       true

tls_min_version tls12

upndomain      

url             ldap://ldap.example.com

userattr       uid

userdn         ou=people,o=example.com,o=email

Thanks

On Thursday, September 8, 2016 at 9:54:14 AM UTC-7, Angelo San Ramon wrote: