https://www.vaultproject.io/docs/auth/ldap.htmlのメモ。
動作確認したバージョンは以下。
$ vault version
Vault v1.1.3 ('9bc820f700f83a7c4bcab54c5323735a581b34eb')
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.1.1
Cluster Name vault-cluster-7a8691e1
Cluster ID 9a5a7bcf-9664-9474-769f-09a2656a23c5
HA Enabled false
まずはLDAP Authを作成。
vault auth enable ldap
LDAPサーバーの情報を設定する。
vault write auth/ldap/config \
url="ldaps://ldap.example.com:636" \
userattr=cn \
userdn="ou=people,dc=example,dc=com" \
groupdn="ou=groups,dc=example,dc=com" \
groupattr="memberOf" \
binddn="cn=admin,dc=example,dc=com" \
bindpass="password" \
insecure_tls=false \
username_as_alias=true \
starttls=false
groupにはadministratorsとusersがある前提。
administrators groupに与えるpolicyを作成してマッピング。
vault policy write administrators -<<EOF
path "*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
vault write auth/ldap/groups/administrators policies=administrators
users groupに与えるpolicyを作成してマッピング。
vault policy write users -<<EOF
path "kv/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
vault write auth/ldap/groups/users policies=users
administratorsとusers groupに属するユーザーでログイン
$ vault login -method=ldap username=foobar
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.************************
token_accessor *********************
token_duration 768h
token_renewable true
token_policies ["administrators" "default" "users"]
identity_policies []
policies ["administrators" "default" "users"]
token_meta_username foobar