I'm just standing up a full “Hashi Stack” with Consul, Nomad, and Vault so likely lots of future posts.
One part that should have been simple but took lots of trial and error was getting authentication to work to our FreeIPA installation.
Here are the steps required (assumes vault and freeipa already installed and working)…
Get root token
You should have the root token from when you initialized vault
.
vault login
Token (will be hidden): <root token goes here>
Policies
Make some policies that will match existing ldap groups.
vault policy write staff staff.hcl
vault policy write ops ops.hcl
where….
# staff.hcl
path "secret/staff" {
capabilities = ["read"]
}
# ops.hcl
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
Make an LDAP account for vault
Use vault
to generate a random password. Not sure if this is fully ISO 9001 Security Secure certified but it looks good to me.
$ vault token create -period=1s
Key Value
--- -----
token 8591430d-2007-ca8c-886b-ef1ad5046e1b
token_accessor 6083a01b-d59a-dd86-1ea8-1fed6f779ee5
token_duration 1s
token_renewable true
token_policies [root]
Make an .ldif
file for the new account
# sysaccount.ldif
dn: uid=vault,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: vault
userPassword: 8591430d-2007-ca8c-886b-ef1ad5046e1b
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
And apply it…
# on freeipa host
kinit admin
<password goes here>
ldapmodify -Y GSSAPI -f sysaccount.ldif
Enable LDAP auth
vault auth enable ldap
Now here's the magic, configure vault
to point at your freeipa
server.
vault write auth/ldap/config \
url="ldap://ldap.example.com" \
userdn="cn=users,cn=accounts,dc=example,dc=com" \
userattr="uid" \
groupdn="cn=groups,cn=accounts,dc=example,dc=com" \
groupattr="cn" \
binddn="uid=vault,cn=sysaccounts,cn=etc,dc=example,dc=com" \
bindpass='8591430d-2007-ca8c-886b-ef1ad5046e1b' \
starttls=false
Attach ldap groups to vault policies
vault
needs to know how groups in ldap map to its own structures.
vault write auth/ldap/groups/staff policies=staff
vault write auth/ldap/groups/ops policies=ops
Login
Now for the moment of truth.
vault login -method=ldap username=alice
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token 46730f3b-493f-4863-3e01-8ea625c13518
token_accessor 5d597740-3054-8b23-a49e-0344476dbd19
token_duration 768h
token_renewable true
token_policies [default ops staff]
token_meta_username alice
So there ya have it, you can now authenticate vault
with freeipa
.
ps. thanks to Shape Shed for the policy
hint.