I have just started using Vault and now trying to configure it with LDAP. Below is my configuration which I am trying to use but what I want is a way to restrict the login to some specific users.
I want to filter the users to allow only some specific users to login to Vault with their ldap credentials because my active directory contains all my company's users so don't want them to access the vault at all.
I have tried to use the group_filter
like below but it doesn't seem to work. As per below only userNAme1
and userName2
should be able to login and rest should not
url="ldap://ldap.systems:389" \
userattr=AccName \
userdn="OU=User Acc,DC=systems" \
groupdn="OU=User Acc,DC=systems" \
groupfilter="(&(objectClass=person)(|(AccName=userName1)(userName2)))" \
groupattr="memberOf" \
binddn="CN=SRV-vault,OU=Administrative Users,OU=User Acc,DC=systems" \
bindpass='yhr7dgbdfhkd8' \
insecure_tls=true \
starttls=true
I am very new to vault so any guidance is appreciated. Thanks.
I haven't used the LDAP auth backend, but from the documentation it looks like the
groupfilter
is for deciding which groups a user belongs to, not for filtering which users can log in.If you can't find a way to completely block any login by other users, you can instead only allow access to secrets by
userName1
anduserName2
. To do that, just set up Entities for those two users, use Aliases to link the Entities to the LDAP users, and provide access permissions to those Entities. Anyone else logging in should find that they are refused access to everything.