Vaultx.Auth.LDAP (Vaultx v0.7.0)

View Source

LDAP authentication method for HashiCorp Vault.

This module implements the LDAP authentication method for Vault, providing secure directory-based authentication with comprehensive support for Active Directory, OpenLDAP, and other LDAP-compatible directory services.

Features

  • Directory Authentication: LDAP/Active Directory integration
  • Group Mapping: Automatic policy assignment based on LDAP groups
  • User Management: Support for user-specific policy overrides
  • TLS Security: Support for LDAPS and StartTLS connections
  • Flexible Configuration: Extensive LDAP server configuration options
  • Enterprise Ready: Supports all Vault enterprise features including MFA

API Compliance

Fully implements HashiCorp Vault LDAP authentication:

Usage Examples

Basic Authentication

{:ok, auth_response} = Vaultx.Auth.LDAP.authenticate(%{
  username: "john.doe",
  password: "mypassword"
})

Authentication with Custom Mount Path

{:ok, auth_response} = Vaultx.Auth.LDAP.authenticate(%{
  username: "john.doe",
  password: "mypassword"
}, mount_path: "custom-ldap")

Authentication with Additional Options

{:ok, auth_response} = Vaultx.Auth.LDAP.authenticate(%{
  username: "john.doe",
  password: "mypassword"
}, [
  mount_path: "ldap",
  timeout: 30_000,
  retry_attempts: 3
])

Vault Configuration

Before using this authentication method, configure it in Vault:

# Enable LDAP auth method
vault auth enable ldap

# Configure LDAP connection
vault write auth/ldap/config \
  url="ldaps://ldap.company.com:636" \
  userdn="ou=Users,dc=company,dc=com" \
  userattr="sAMAccountName" \
  groupdn="ou=Groups,dc=company,dc=com" \
  groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
  groupattr="cn" \
  binddn="cn=vault,ou=ServiceAccounts,dc=company,dc=com" \
  bindpass="service-password"

# Map LDAP groups to Vault policies
vault write auth/ldap/groups/admins policies="admin,default"
vault write auth/ldap/groups/developers policies="dev,default"

# Override policies for specific users (optional)
vault write auth/ldap/users/john.doe policies="admin,default"

Security Considerations

  • Use LDAPS or StartTLS for encrypted connections
  • Implement proper certificate validation
  • Use service accounts with minimal required permissions
  • Monitor authentication events in Vault audit logs
  • Regularly review group mappings and user overrides
  • Consider implementing MFA for additional security
  • Use connection pooling and timeouts appropriately