2

I'm trying to set up a demonstration of the Vault as a solution to my company's security concerns about very sensitive user data. I've added the ldap authentication and I'm able to login with any ldap user credentials and the entities are created correctly with username as alias.

But I can't seem to make it import/ assign groups.

When configured like this it does not throw any error but is not assigning the user to the group.

enter image description here

When I change the Group DN to ou=ldap_groups,dc=company,dc=pl it just gives me an error when logging in that no groups were found.

I wanted to create a policy template so a normal user has access to his own data, and users with a special group like accountancy would be able to access everyone's data.

Bonana
  • 65
  • 1
  • 10

1 Answers1

2

Vault will not automatically create the LDAP groups, you have to manually create the groups.

Look here for a good explanation about this matter.

Marcelo Ávila de Oliveira
  • 19,950
  • 3
  • 39
  • 50
  • 1
    You are absolutely right. Even though I did create groups in Vault I did it in the wrong way. So for anyone with the same problem: First in auth methods -> ldap you need to create your groups as in your AD. Then create an external type group in your vault groups, with an alias name same as the ldap group you want it to bind to. – Bonana Oct 07 '21 at 21:28
  • This comment really helped me, as i naively assumed that Vault would sync the Active Directory groups and display them in the UI, [This](https://www.youtube.com/watch?v=aGp8pb7KRIo&ab_channel=HashiCorp) video is quite helpful in explaining in some detail. – Gavin Jul 29 '22 at 21:47