HashiCorp Vault LDAP Integration

HashiCorp Vault LDAP Integration

In this post, HashiCorp Vault will be integrated with LDAP. It is good security practice that storing all secrets in the secret engine instead of putting notepad-like programs. But it is also very curicial that- “Who access to what ? So, in this post, We will integrate HashiCorp Vault with the LDAP groups that we created in the previous.

We have following users and user groups for this lab.

ldapsearch -Z -H ldap:// -x -W -D "cn=ldapadm,ou=users,dc=homelab,dc=io" -b "cn=vault_user,ou=global,ou=vault,ou=groups,dc=homelab,dc=io" -LLL

dn: cn=vault_user,ou=global,ou=vault,ou=groups,dc=homelab,dc=io
objectClass: groupOfNames
cn: vault_user
description: Vault user
member: cn=mit001,ou=people,ou=it,dc=homelab,dc=io
ldapsearch -Z -H ldap:// -x -W -D "cn=ldapadm,ou=users,dc=homelab,dc=io" -b "cn=vault_admin,ou=global,ou=vault,ou=groups,dc=homelab,dc=io" -LLL
Enter LDAP Password: 
dn: cn=vault_admin,ou=global,ou=vault,ou=groups,dc=homelab,dc=io
objectClass: groupOfNames
cn: vault_admin
description: Vault Administrator
member: cn=mit002,ou=people,ou=it,dc=homelab,dc=io

Initial Configuration

In order to connect to secret engine you need to set VAULT adress and VAULT token. If you just deployed, you have to use root token for initial configuration.

export VAULT_ADDR='http://localhost:8200'
export VAULT_TOKEN='<Your Token here >'

Enable LDAP authentication

vault auth enable ldap
Success! Enabled ldap auth method at: ldap/

After enabling LDAP Auth method, next thing is to specify LDAP server, LDAP user dn and LDAP group dn.

Configuring LDAP

vault write auth/ldap/config \
    url="ldap://" \
    insecure_tls=false \
    starttls=true \
    anonymous_group_search=false \
    deny_null_bind=true \
    userattr="cn" \
    userdn="ou=people,ou=it,dc=homelab,dc=io" \
    groupdn="ou=global,ou=vault,ou=groups,dc=homelab,dc=io" \
    binddn="cn=ldapadm,ou=users,dc=homelab,dc=io" \
    groupattr="cn" \
    certificate=@CA.pem \

vault read auth/ldap/config

insecure_tls=false giving following error. So, I had to enable it. For production it is highly recommended not to set it to true !

Authentication failed: 1 error occurred: * error connecting to host "ldap://": LDAP Result Code 200 "Network Error": TLS handshake failed (x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0)

Adding Sample Secret(Version2)

To test our policy,we will create a sample secret.

vault kv put secret/infrastructre/IBM/ilo user=USERID password=S3cret
vault kv get secret/infrastructre/IBM/ilo

Creating Policy Files

Policy gives granular access to the secrets.


#metadata required for user to traverse between the paths.
path "secret/metadata/*" {
  capabilities = ["list"]

path "secret/data/infrastructre/IBM/ilo" {
  capabilities = ["create", "read", "update", "delete", "list"]

Note: There is a litte difference between kv version 1 and version 2, when you define ACL. For more information check


path "secret/metadata/*" {
  capabilities = ["list"]
vault policy write ilo_admin ilo_admin.hcl
vault policy write ilo_rouser ilo_rouser.hcl

Mapping Vault Policies to LDAP Groups

vault write auth/ldap/groups/vault_user policies=ilo_rouser
vault write auth/ldap/groups/vault_admin policies=ilo_admin


It is time to test if we configure everything properly.

Try access to secrets as user in the LDAP group “vault_user”

vault  login -method=ldap --address= username=mit002
vault kv get secret/infrastructre/IBM/ilo
Error reading secret/data/infrastructre/IBM/ilo: Error making API request.

Code: 403. Errors:

* 1 error occurred:
	* permission denied

Try access to secrets as user in the LDAP group “vault_admin”

vault  login -method=ldap --address= username=mit002
vault kv get secret/infrastructre/IBM/ilo
====== Metadata ======
Key              Value
---              -----
created_time     2021-01-10T16:48:30.440483556Z
deletion_time    n/a
destroyed        false
version          2

====== Data ======
Key         Value
---         -----
password    S3cret
user        USERID

Above result shows us that, we mapped successfully HashiCorp Vault polices to LDAP groups successfully.