boundary
boundary copied to clipboard
hashicorp
ldap support
Hi @ghakfoort, while we are actively investing in an OIDC auth method that will be available in an upcoming release, we do not yet have a timeline for support of LDAP. Longterm, we'll also look to add support for additional auth protocols, like LDAP, in the future. We'll keep this issue open so that community members can upvote it and show their support for us adding the feature.
We also would like to see support for LDAP or Kerberos,etc. Is there any good starting point to add such an AuthMethod based on a contribution?
LDAP is a pretty much do-not-pass-go item for me, since often my OIDC providers are all running on Nomad. I intend to use boundary to access the Nomad API, and so this sets up a fantastic circular dependency to resolve. I suspect that this is not an uncommon use-case either given that the various parts of the hashistack can't set additional auth values that would be needed for a beyondcorp style access model.
Given that LDAP is far more widely deployed in enterprise than OIDC as well this seems like a no brainer.
While Boundary does not yet support a native LDAP authentication method, Boundary users may be interested in a workaround available using HashiCorp Vault's oidc provider capabilities released in Vault 1.9.
As of Vault 1.9, Boundary users can delegate authentication to many of Vault's supported auth methods (including LDAP). Those interested can read more about this capability here, and try out an example of authentication delegated to Vault with this tutorial which uses Boundary authentication via Vault's username/password auth method as an example
When you say "delegate to" what does this actually look like? My understanding was the OIDC experience in Vault was still kind of clunky as far as redirection went. i.e. if a user is signing in for the first time they would get bounced around on first sign in more than other oidc providers.
@the-maldridge, excellent question! Vault can act an OIDC provider intermediary for Boundary and other client applications. In practice, this allows Vault to authenticate users for client applications - eg Boundary - using its broad ecosystem of supported auth methods, which includes LDAP.
Once Vault authentication is configured for Boundary the login user experience could be as follows:
- The user connects to Boundary, where they select Vault as an authentication provider.
- The Boundary redirects them to Vault’s web interface, where they can choose from their Vault environment's available onboarded identity providers (IDPs), and login with that provider. This may include an LDAP provider via Vault's LDAP auth method, if one has been configured for that Vault environment.
- The user is redirected back to Boundary, and Vault sends a Javascript Web Token (JWT) back to Boundary which proves that the user is who they say they are.
- Boundary accepts the user and continues as normal.
Configuring the login workflow above requires adding an OIDC auth method to your Boundary environment for the Vault cluster you will be using for authentication. A tutorial for configuring a proof-of-concept of this workflow for Vault's username/password auth method is available here. This could be configured for LDAP by swapping out the username/password auth method for an LDAP one.
Great news everyone, LDAP has been added to Boundary OSS in our latest 0.13 release! For more information, see the 0.13 release notes and changelog.
Note: this is currently a Beta release since LDAP auth method management is not fully instrumented in the browser UI at the moment, but it is fully instrumented in the CLI. Browser UI management will be coming in a future release.
