Using vault auth-policies with ldap
TypeScriptWorking with HashiCorp Vault's authentication policies in conjunction with LDAP (Lightweight Directory Access Protocol) allows you to manage access control based on your existing LDAP directory. Vault's LDAP authentication method can be used to import users and their group memberships from an LDAP server, translating those into Vault identity groups and policies that grant or restrict access to secrets.
Let's go through an example of setting up LDAP authentication with Vault using Pulumi. We'll define two main components:
- LDAP Authentication Backend: This configures Vault to authenticate against an LDAP server.
- LDAP Groups: These map LDAP groups to a set of Vault policies, which define the level of access.
To manage these components with Pulumi, you can use the
vault
provider. Before you run the following Pulumi program, you need to set up Vault and have its address and token available in your environment, as well as your LDAP server details.Here's a TypeScript program that defines an LDAP auth backend and associates an LDAP group with a set of policies:
import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Create an LDAP authentication backend. const ldapAuth = new vault.ldap.AuthBackend("ldapAuth", { // URL of the LDAP server. This should be in the form of "ldap://<hostname>:<port>". url: "ldap://ldap.example.com:389", // Distinguished name (DN) of the user to bind with the LDAP server. // This user should have permission to perform user/group lookups. binddn: "cn=read-only-admin,dc=example,dc=com", // The user's password to bind with the LDAP server. bindpass: { value: "READ_ONLY_ADMIN_PASSWORD", // Replace with actual password or use secret management. }, // Base DN under which to perform user search. userdn: "ou=Users,dc=example,dc=com", // Base DN under which to perform group search. groupdn: "ou=Groups,dc=example,dc=com", // Specifies if Vault should use StartTLS. starttls: false, // Username attribute used in queries against the LDAP server. userattr: "uid", // Group attribute used in queries against the LDAP server. groupattr: "cn", // The domain to be used for UPN (User Principal Name) logins. upndomain: "example.com", }); // Create an LDAP group. Users belonging to this group in LDAP will be // associated with the policies defined here in Vault. const ldapAdminGroup = new vault.ldap.AuthBackendGroup("ldapAdminGroup", { backend: ldapAuth.path, // The mount path of the LDAP auth backend. groupname: "VaultAdmins", // The name of the LDAP group. policies: ["admin-policy"], // The list of policies to associate with this group. }); // This Pulumi program assumes that the "admin-policy" is already defined in Vault. // If not, replace "admin-policy" with an actual policy name that exists in your Vault setup. // Export the mount path of the LDAP auth backend. export const ldapAuthPath = ldapAuth.path;
In this example, you would need to replace the placeholders such as
ldap://ldap.example.com:389
,cn=read-only-admin,dc=example,dc=com
, and"READ_ONLY_ADMIN_PASSWORD"
with your actual LDAP server details and credentials.Explanation:
-
LDAP Authentication Backend: This is created with the
vault.ldap.AuthBackend
resource. It defines how Vault connects to your LDAP server, including the URL of the server, the bind DN and password, and the user and group base DNs for searching users and groups within LDAP. -
LDAP Group: We use the
vault.ldap.AuthBackendGroup
to map an LDAP group to Vault policies. In this example, any user who is part of theVaultAdmins
group in LDAP will be assigned theadmin-policy
in Vault, giving them admin-level access within Vault.
To apply these settings, simply run
pulumi up
after creating a new Pulumi project and pasting the above code into yourindex.ts
file. Ensure that yourPulumi.yaml
includesvault
as a dependency:name: ldap-vault runtime: nodejs description: A Pulumi program to configure Vault with LDAP authentication. dependencies: - name: "@pulumi/vault" version: "^5.16.0"
Remember to replace
^5.16.0
with the appropriate version of the Pulumi Vault package.This is a basic example to get started. For production use, you need to consider secure ways to handle secrets (
bindpass
), additional configuration parameters for the LDAP server, and the complete setup of necessary Vault policies.