When users are logged on vault there group membership will not be propagated to the vault.
Follow the instructions on https://computingforgeeks.com/install-and-configure-freeipa-server-on-ubuntu/
In case of issues with first login execute chmod a+x /var/lib/krb5kdc and restart web server.
Create users (mile.kitic,vault, …) and groups (developers,sysaccounts,read-only … ) on freeipa.
vault auth enable ldap
Here we have several options.
vault write auth/ldap/config \
url="ldap://milekitic1c.mylabserver.com" \
userdn="cn=users,cn=accounts,dc=mylabserver,dc=com" \
userattr="uid" \
groupdn="cn=groups,cn=accounts,dc=mylabserver,dc=com" \
groupattr="cn" \
binddn="uid=vault,cn=users,cn=accounts,dc=mylabserver,dc=com" \
bindpass='${VAULT_FREEIPA_PASSWORD}' \
groupfilter="(objectclass=ipausergroup)" \
starttls=false \
insecure_tls=true
Check vault config
root@milekitic1c:~# vault read auth/ldap/config
Key Value
--- -----
binddn uid=vault,cn=users,cn=accounts,dc=mylabserver,dc=com
case_sensitive_names false
certificate n/a
deny_null_bind true
discoverdn false
groupattr cn
groupdn cn=groups,cn=accounts,dc=mylabserver,dc=com
groupfilter (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls true
starttls false
tls_max_version tls12
tls_min_version tls12
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
upndomain n/a
url ldap://milekitic1c.mylabserver.com
use_pre111_group_cn_behavior false
use_token_groups false
userattr uid
userdn cn=users,cn=accounts,dc=mylabserver,dc=com
vault write auth/ldap/config \
url="ldap://milekitic1c.mylabserver.com" \
binddn="" \
bindpass="" \
userdn="cn=users,cn=accounts,dc=mylabserver,dc=com" \
userattr="uid" \
groupdn="cn=groups,cn=accounts,dc=mylabserver,dc=com" \
groupattr="cn" \
discoverdn=true \
groupfilter="(objectclass=ipausergroup)" \
upndomain="mylabserver.com" \
starttls=false \
insecure_tls=true
Check vault config
root@milekitic1c:~# vault read auth/ldap/config
Key Value
--- -----
binddn n/a
case_sensitive_names false
certificate n/a
deny_null_bind true
discoverdn true
groupattr cn
groupdn cn=groups,cn=accounts,dc=mylabserver,dc=com
groupfilter (objectclass=ipausergroup)
insecure_tls true
starttls false
tls_max_version tls12
tls_min_version tls12
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
upndomain mylabserver.com
url ldap://milekitic1c.mylabserver.com
use_pre111_group_cn_behavior false
use_token_groups false
userattr uid
userdn cn=users,cn=accounts,dc=mylabserver,dc=com
Create policies per groups/users.
# developers_policy.hcl
path "kv/*" {
capabilities = ["read", "list"]
}
vault policy write developers developers_policy.hcl
vault write auth/ldap/groups/developers policies=developers
root@milekitic1c:~# vault login -method=ldap username=mile.kitic
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.D03nuXl9A6oM5nP6mHtd8hxp
token_accessor effgXHHJZqHrniBfOMRDfIRH
token_duration 768h
token_renewable true
token_policies ["default" "developers"]
identity_policies []
policies ["default" "developers"]
token_meta_username mile.kitic
https://github.com/mposolda/keycloak-freeipa-docker/blob/master/README.md
https://spoore.wordpress.com/2017/02/21/keycloak-and-freeipa-intro/
https://www.keycloak.org/docs/latest/server_admin/
https://shapeshed.com/hashicorp-vault-ldap/
https://www.burgundywall.com/post/hashicorp-vault-and-freeipa
https://computingforgeeks.com/install-and-configure-freeipa-server-on-ubuntu/