---
title: Vaultの認証にLDAPを使用するメモ
tags: ["LDAP", "Vault"]
categories: ["Dev", "SecretManagement", "Vault"]
date: 2019-06-23T16:55:06Z
updated: 2019-06-23T16:55:06Z
---

[https://www.vaultproject.io/docs/auth/ldap.html](https://www.vaultproject.io/docs/auth/ldap.html)のメモ。

動作確認したバージョンは以下。

```
$ vault version
Vault v1.1.3 ('9bc820f700f83a7c4bcab54c5323735a581b34eb')

$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.1.1
Cluster Name    vault-cluster-7a8691e1
Cluster ID      9a5a7bcf-9664-9474-769f-09a2656a23c5
HA Enabled      false
```

まずはLDAP Authを作成。

```
vault auth enable ldap
```

LDAPサーバーの情報を設定する。

```
vault write auth/ldap/config \
  url="ldaps://ldap.example.com:636" \
  userattr=cn \
  userdn="ou=people,dc=example,dc=com" \
  groupdn="ou=groups,dc=example,dc=com" \
  groupattr="memberOf" \
  binddn="cn=admin,dc=example,dc=com" \
  bindpass="password" \
  insecure_tls=false \
  username_as_alias=true \
  starttls=false
```

groupには`administrators`と`users`がある前提。

`administrators` groupに与えるpolicyを作成してマッピング。

```
vault policy write administrators -<<EOF
path "*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}
EOF

vault write auth/ldap/groups/administrators policies=administrators
```

`users` groupに与えるpolicyを作成してマッピング。

```
vault policy write users -<<EOF
path "kv/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}
EOF

vault write auth/ldap/groups/users policies=users
```

`administrators`と`users` groupに属するユーザーでログイン

```
$ vault login -method=ldap username=foobar

Password (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.************************
token_accessor         *********************
token_duration         768h
token_renewable        true
token_policies         ["administrators" "default" "users"]
identity_policies      []
policies               ["administrators" "default" "users"]
token_meta_username    foobar
```