Example of configuring HashiCorp Vault to use LDAP for authentication
Deploy the CloudFormation infrastructure/cloudformation.json template. The template creates a user with the following credentials and minimal required permisisons to complete the Lab:
- Username: student
- Password: password
-
In the Cloud9 environment terminal, install Vault:
wget https://releases.hashicorp.com/vault/0.10.3/vault_0.10.3_linux_amd64.zip -O /tmp/vault.zip sudo unzip /tmp/vault.zip -d /usr/local/bin/
-
Start the Vault server in development mode in a new terminal tab:
vault server -dev
-
In the original terminal tab, configure the Vault server address:
export VAULT_ADDR='http://127.0.0.1:8200'
-
Create a file named Engineering.hcl with the following Vault policy as its contents:
path "secret/data/Engineering" { capabilities = ["create", "read", "update", "delete", "list"] } -
Write the policy into Vault:
vault policy write engineering Engineering.hcl
-
Enable Vault LDAP auth:
vault auth enable ldap -
Write the following LDAP auth config:
vault write auth/ldap/config \ url="ldap://ldap.ca-lab.private" \ userattr="cn" \ userdn="ou=Users,dc=ca-lab,dc=private" \ groupdn="ou=Users,dc=ca-lab,dc=private" \ groupfilter="(&(objectClass=groupOfNames)(member={{.UserDN}}))" \ groupattr="cn" -
Map the engineering Vault policy to the engineering LDAP group:
vault write auth/ldap/groups/Engineering policies=Engineering
-
Login to Vault using LDAP with the following command, and enter sheep as the password when prompted:
vault login -method=ldap username='Jeremy Cook' -
Confirm that you have the capabilities given in the engineering Vault policy:
vault token capabilities secret/data/Engineering
Delete the CloudFormation stack to remove all the resources used in the Lab.