The Insecure Wire

a network engineers perspective

Setting up AD Auth with Hashicorp Vault

Hashicorp Vault is open source and can be used in DevOps processes for secure automated retrieval of keys and secrets.
I recently setup Vault as a password / key store. Here is how to configure Vault for Active Directory LDAP authentication.

This setup assumes the following:
‘sAMAccountID’ is the username attribute within AD for the user/s you want to authenticated to Vault.
The user must be a member of a specific group to be granted access to the Vault secrets path.
Vault is installed and initialized with the root token.

1. Create a file named IT.hcl with the following Vault policy as its contents:

path "secret/data/IT" {
capabilities = ["create", "read", "update", "delete", "list"]
}

2. Write the policy into the Vault:

vault policy write IT IT.hcl

3. Enable LDAP Auth:
vault auth enable ldap
4. Write the LDAP auth config (edit the values for your binddn, groups and server name):

vault write auth/ldap/config \
url="ldap://server.domain.name" \
userattr="samaccountid" \
userdn="ou=Users,dc=domain,dc=name" \
groupdn="ou=Groups,dc=domain,dc=name" \
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
groupattr="samaccountid"
binddn="cn=vault,ou=users,dc=domain,dc=name" \
bindpass='My$ecrt3tP4ss' \
upndomain="domain.name"

5. Map the Vault IT policy to the IT AD group:

vault write auth/ldap/groups/IT policies=IT

Note that in AD the group should be named ‘IT’ (for this example)
6. Test Vault AD Authentication:

vault login -method=ldap username='myUser'

7. Confirm your AD user has the permissions set in the IT Vault policy:

vault token capabilities secret/data/IT

In this example the AD user myUser is a member of the AD group ‘IT’ which has full permission to the /secret/data/IT Vault. All done 🙂