HashiCorp Vault and FreeIPA
@ wrote... (4 years, 1 month ago)

I'm just standing up a full “Hashi Stack” with Consul, Nomad, and Vault so likely lots of future posts.

One part that should have been simple but took lots of trial and error was getting authentication to work to our FreeIPA installation.

Here are the steps required (assumes vault and freeipa already installed and working)…

Get root token

You should have the root token from when you initialized vault.

vault login
Token (will be hidden): <root token goes here>

Policies

Make some policies that will match existing ldap groups.

vault policy write staff staff.hcl
vault policy write ops ops.hcl

where….

# staff.hcl

path "secret/staff" {
  capabilities = ["read"]
}

# ops.hcl

path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

Make an LDAP account for vault

Use vault to generate a random password. Not sure if this is fully ISO 9001 Security Secure certified but it looks good to me.

$ vault token create -period=1s
Key                Value
---                -----
token              8591430d-2007-ca8c-886b-ef1ad5046e1b
token_accessor     6083a01b-d59a-dd86-1ea8-1fed6f779ee5
token_duration     1s
token_renewable    true
token_policies     [root]

Make an .ldif file for the new account

# sysaccount.ldif

dn: uid=vault,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: vault
userPassword: 8591430d-2007-ca8c-886b-ef1ad5046e1b
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

And apply it…

# on freeipa host
kinit admin
<password goes here>

ldapmodify -Y GSSAPI -f sysaccount.ldif

Enable LDAP auth

vault auth enable ldap

Now here's the magic, configure vault to point at your freeipa server.

vault write auth/ldap/config \
    url="ldap://ldap.example.com" \
    userdn="cn=users,cn=accounts,dc=example,dc=com" \
    userattr="uid" \
    groupdn="cn=groups,cn=accounts,dc=example,dc=com" \
    groupattr="cn" \
    binddn="uid=vault,cn=sysaccounts,cn=etc,dc=example,dc=com" \
    bindpass='8591430d-2007-ca8c-886b-ef1ad5046e1b' \
    starttls=false

Attach ldap groups to vault policies

vault needs to know how groups in ldap map to its own structures.

vault write auth/ldap/groups/staff policies=staff
vault write auth/ldap/groups/ops policies=ops

Login

Now for the moment of truth.

vault login -method=ldap username=alice
Password (will be hidden):

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  46730f3b-493f-4863-3e01-8ea625c13518
token_accessor         5d597740-3054-8b23-a49e-0344476dbd19
token_duration         768h
token_renewable        true
token_policies         [default ops staff]
token_meta_username    alice

So there ya have it, you can now authenticate vault with freeipa.

ps. thanks to Shape Shed for the policy hint.

Category: tech, Tags: hashistack, ldap, vault
Comments: 1
Comments
1.
zen @ April 8, 2020 wrote... (2 years, 1 month ago)

Thanks for this one, it's probably a niche, but was very helpful. I did that with more recent versions of both FreeIPA and Vault and spot some issues. Particularly I had to use SSL (everyone should) and in my case, although I'm using default PDAP schema, group resolution did not work. Here's my snippet:

vault write auth/ldap/config \
  url="ldap://DOMAIN" \
  binddn="uid=vault,cn=sysaccounts,cn=etc,dc=example,dc=com" \
  bindpass='<password>' \
  starttls=true \
  certificate=@ldap_ca_cert.crt \
  insecure_tls=true \
  userdn="cn=users,cn=accounts,dc=example,dc=com" \
  userattr="uid" \
  groupdn="cn=users,cn=accounts,dc=example,dc=com" \
  groupattr="memberOf" \
  groupfilter="(&(objectClass=person)(uid={{.Username}}))"
Click here to add a comment