In this post, HashiCorp Vault will be integrated with LDAP. It is good security practice that storing all secrets in the secret engine instead of putting notepad-like programs. But it is also very crucial that- “Who access to what ? So, in this post, We will integrate HashiCorp Vault with the LDAP groups that we created in the previous .
We have following users and user groups for this lab.
ldapsearch -Z -H ldap://ldap.homelab.io -x -W -D "cn=ldapadm,ou=users,dc=homelab,dc=io" -b "cn=vault_user,ou=global,ou=vault,ou=groups,dc=homelab,dc=io" -LLL
dn: cn=vault_user,ou=global,ou=vault,ou=groups,dc=homelab,dc=io
objectClass: groupOfNames
cn: vault_user
description: Vault user
member: cn=mit001,ou=people,ou=it,dc=homelab,dc=io
ldapsearch -Z -H ldap://ldap.homelab.io -x -W -D "cn=ldapadm,ou=users,dc=homelab,dc=io" -b "cn=vault_admin,ou=global,ou=vault,ou=groups,dc=homelab,dc=io" -LLL
Enter LDAP Password:
dn: cn=vault_admin,ou=global,ou=vault,ou=groups,dc=homelab,dc=io
objectClass: groupOfNames
cn: vault_admin
description: Vault Administrator
member: cn=mit002,ou=people,ou=it,dc=homelab,dc=io
Initial Configuration
In order to connect to secret engine you need to set VAULT_ADDRESS and VAULT_TOKEN . If you just deployed, you have to use root token for initial configuration.
export VAULT_ADDR='http://localhost:8200'
export VAULT_TOKEN='<Your Token here >'
Enable LDAP authentication
vault auth enable ldap
Success! Enabled ldap auth method at: ldap/
After enabling LDAP Auth method, next thing is to specify LDAP server, LDAP user dn and LDAP group dn.
Configuring LDAP
vault write auth/ldap/config \
url="ldap://ldap.homelab.io" \
insecure_tls=false \
starttls=true \
anonymous_group_search=false \
deny_null_bind=true \
userattr="cn" \
userdn="ou=people,ou=it,dc=homelab,dc=io" \
groupdn="ou=global,ou=vault,ou=groups,dc=homelab,dc=io" \
binddn="cn=ldapadm,ou=users,dc=homelab,dc=io" \
groupattr="cn" \
[email protected] \
vault read auth/ldap/config
insecure_tls=false giving following error. So, I had to enable it. For production it is highly recommended not to set it to true !
Authentication failed: 1 error occurred: * error connecting to host "ldap://ldap.homelab.io": LDAP Result Code 200 "Network Error": TLS handshake failed (x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0)
Adding Sample Secret(Version2)
To test our policy,we will create a sample secret.
vault kv put secret/infrastructre/IBM/ilo user=USERID password=S3cret
vault kv get secret/infrastructre/IBM/ilo
Creating Policy Files
Policy gives granular access to the secrets.
ilo_admin.hcl
#metadata required for user to traverse between the paths.
path "secret/metadata/*" {
capabilities = ["list"]
}
path "secret/data/infrastructre/IBM/ilo" {
capabilities = ["create", "read", "update", "delete", "list"]
}
Note: There is a little difference between kv version 1 and version 2, when you define ACL. For more information check.
ilo_rouser.hcl
path "secret/metadata/*" {
capabilities = ["list"]
}
vault policy write ilo_admin ilo_admin.hcl
vault policy write ilo_rouser ilo_rouser.hcl
Mapping Vault Policies to LDAP Groups
vault write auth/ldap/groups/vault_user policies=ilo_rouser
vault write auth/ldap/groups/vault_admin policies=ilo_admin
Experiment
It is time to test if we configure everything properly.
Try access to secrets as user in the LDAP group “vault_user”
vault login -method=ldap --address=http://127.0.0.1:8200 username=mit002
vault kv get secret/infrastructre/IBM/ilo
Error reading secret/data/infrastructre/IBM/ilo: Error making API request.
URL: GET http://127.0.0.1:8200/v1/secret/data/infrastructre/IBM/ilo
Code: 403. Errors:
* 1 error occurred:
* permission denied
Try access to secrets as user in the LDAP group “vault_admin”
vault login -method=ldap --address=http://127.0.0.1:8200 username=mit002
vault kv get secret/infrastructre/IBM/ilo
====== Metadata ======
Key Value
--- -----
created_time 2021-01-10T16:48:30.440483556Z
deletion_time n/a
destroyed false
version 2
====== Data ======
Key Value
--- -----
password S3cret
user USERID
Above result shows us that, we mapped successfully HashiCorp Vault polices to LDAP groups successfully.
Leave a Reply