Setting up AD Auth with Hashicorp Vault

Hashicorp Vault is open source and can be used in DevOps processes for secure automated retrieval of keys and secrets.
I recently setup Vault as a password / key store. Here is how to configure Vault for Active Directory LDAP authentication.

This setup assumes the following:
‘sAMAccountID’ is the username attribute within AD for the user/s you want to authenticated to Vault.
The user must be a member of a specific group to be granted access to the Vault secrets path.
Vault is installed and initialized with the root token.

1. Create a file named IT.hcl with the following Vault policy as its contents:
path "secret/data/IT" {
capabilities = ["create", "read", "update", "delete", "list"] }

2. Write the policy into the Vault:
vault policy write IT IT.hcl

3. Enable LDAP Auth:
vault auth enable ldap
4. Write the LDAP auth config (edit the values for your binddn, groups and server name):
vault write auth/ldap/config \
url="ldap://server.domain.name" \
userattr="samaccountid" \
userdn="ou=Users,dc=domain,dc=name" \
groupdn="ou=Groups,dc=domain,dc=name" \
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
groupattr="samaccountid"
binddn="cn=vault,ou=users,dc=domain,dc=name" \
bindpass='My$ecrt3tP4ss' \
upndomain="domain.name"

5. Map the Vault IT policy to the IT AD group:
vault write auth/ldap/groups/IT policies=IT

Note that in AD the group should be named ‘IT’ (for this example)
6. Test Vault AD Authentication:
vault login -method=ldap username='myUser'

7. Confirm your AD user has the permissions set in the IT Vault policy:
vault token capabilities secret/data/IT

In this example the AD user myUser is a member of the AD group ‘IT’ which has full permission to the /secret/data/IT Vault.
All done 🙂

Update 24/09/20:
To disable certificate based authentication edit the vault config.json file option as follows:
disable_cache = true
disable_mlock = true
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 0
tls_cert_file = "/path/to/cert.crt"
tls_key_file = "/path/to/rsa.key"
tls_disable_client_certs = true
}
api_addr = "https://servername.com:8200"
storage "file" {
path = "/vault-data"
}
max_lease_ttl = "10h"
default_lease_ttl = "10h"
The above config.json is generated when you run the the vault binary for the first time. The option to disable client cert authentication is tls_disable_client_certs set to true. You can also use the above config.json as an example on how to enable TLS/SSL on the vault app.