hashicorp
Authenticating based on multiple "groupdn" values?
Environment:
- Vault Version: 0.8.3
- Operating System/Architecture: Linux x86_64
I've setup our LDAP authentication like this:
VAULT=/apps/vault/bin/vault
BIND_GENERIC_USERID="ldap_generic"
BIND_GENERIC_PASSWORD="SomePassword"
$VAULT auth-enable ldap
$VAULT write auth/ldap/config \
url="ldaps://ds-mycorp.example.com:3269" \
insecure_tls=true \
tls-skip-verify=true \
binddn="cn=$BIND_GENERIC_USERID,OU=Generics,OU=MyCorp Users,DC=example,DC=com" \
bindpass="$BIND_GENERIC_PASSWORD" \
userdn="ou=MyCorp Users,dc=example,dc=com" \
groupdn="ou=Organizational,ou=MyCorp Groups,dc=example,dc=com" \
groupattr="cn" \
groupfilter="(member={{.UserDN}})" \
tls_min_version="tls10"
$VAULT write auth/ldap/groups/group.crashteam policies=crashfix
So far, so good - this gives access to the “crashfix” policy to anyone who has an LDAP entry like this:
memberOf: CN=group.crashteam,OU=Organizational,OU=MyCorp Groups,DC=example,DC=com
But I'd also like to give different levels of access to members of groups that are not "Organizational" groups within our company. For instance, I might apply a "hotfix" policy to someone with this LDAP entry:
memberOf: CN=hotfix-admins,OU=Mailer,OU=MyCorp Groups,DC=example,DC=com
But the “groupdn” attribute in my LDAP configuration is already bound to "ou=Organzational…" , and I don’t know how to have it look at another groupdn (“ou=Mailer…”)
Is such a thing is possible? Can Vault be configured to use both OU=Organizational… and OU=Mailer… for authorization?
I've got the same requirement. Did you get it work by now? Thanks :-)
Update: I could resolve the issue by mounting a second ldap backend as described here: https://github.com/hashicorp/vault/issues/2260#issuecomment-292768512
Yes, in my case I simply widened the scope of "groupdn" attribute to a level that was common for both OU's that I wanted to support. Since I wanted to do:
memberOf: CN=group.crashteam,OU=Organizational,OU=MyCorp Groups,DC=example,DC=com
memberOf: CN=hotfix-admins,OU=Mailer,OU=MyCorp Groups,DC=example,DC=com
I changed my groupdn line from:
groupdn="ou=Organizational,ou=MyCorp Groups,dc=example,dc=com" \
to:
groupdn="ou=MyCorp Groups,dc=example,dc=com" \
My company's ldap is a mess: team A is in groupdn="cn=teama,ou=MyCorp Groups,dc=example,dc=com" team B is in groupdn="cn=teamb,ou=poorldapdesign,dc=example,dc=com"
They have no shared ou in my case I just wanted to point out that, the following works, and lets you assign rights to both groups/it'll discover them both. (I'm guessing it's just an inefficient query) groupdn="dc=example,dc=com"
Issues that are not reproducible and/or not had any interaction for a long time are stale issues. Sometimes even the valid issues remain stale lacking traction either by the maintainers or the community. In order to provide faster responses and better engagement with the community, we strive to keep the issue tracker clean and the issue count low. In this regard, our current policy is to close stale issues after 30 days. Closed issues will still be indexed and available for future viewers. If users feel that the issue is still relevant but is wrongly closed, we encourage reopening them.
Please refer to our contributing guidelines for details on issue lifecycle.
I'm curious if has been revisted in recent (1.11.x) versions of Vault with the paramters groupfilter, userfilter and the go template language?
Hey @dswhite42 can you kindly update and state if / how this may still relevant for you.
I'm going to go ahead and close this issue now. Please feel free to open a new one if needed - note, we accept bug reports and enhancement requests for "n-2" versions of Vault, which as of this writing would be 1.10+. Thanks!
