Hello
we have configured a LDAP (AD) Auth Backend for our vault instance.
As we have different entity, is there a way to configure multiple LDAP Auth Backend for our vault instance?
if not in actual version, is it possible to have it in a future version?
Thanks
tboussar
All 12 comments
You can use -path with vault auth-enable to mount a second copy at a non-default location!
jefferai
on 5 Jan 2017
Thx for your quick help!!
tboussar
on 5 Jan 2017
Can you give a tipp on how do I auth with that backend? I created one with name ldap2 but when I try to call it /v1/auth/ldap2/login/username vault respons with "400 missing client token"
laeubi
on 10 Aug 2017
Can you provide the exact commands you are running? Although I do not currently have an LDAP server to test with, I do get the expected error without a running LDAP server. The error you are receiving would come earlier than the error I am seeing.
$ vault auth -methods
Path Type Accessor Default TTL Max TTL Replication Behavior Description
token/ token auth_token_789ef836 system system replicated token based credentials
$ vault auth-enable ldap
Successfully enabled 'ldap' at 'ldap'!
$ vault auth-enable -path=ldap2 ldap
Successfully enabled 'ldap' at 'ldap2'!
$ vault auth -methods
Path Type Accessor Default TTL Max TTL Replication Behavior Description
ldap/ ldap auth_ldap_422c6a28 system system replicated
ldap2/ ldap auth_ldap_9e8f6db2 system system replicated
token/ token auth_token_789ef836 system system replicated token based credentials
$ vault write auth/ldap2/login/username password=1
Error writing data to auth/ldap2/login/username: Error making API request.
URL: PUT http://localhost:8200/v1/auth/ldap2/login/username
Code: 400. Errors:
* 1 error occurred:
* error connecting to host "ldap://127.0.0.1": LDAP Result Code 200 "Network Error": dial tcp 127.0.0.1:389: getsockopt: connection refused
$ vault write auth/ldap/login/username password=1
Error writing data to auth/ldap/login/username: Error making API request.
URL: PUT http://localhost:8200/v1/auth/ldap/login/username
Code: 400. Errors:
* 1 error occurred:
* error connecting to host "ldap://127.0.0.1": LDAP Result Code 200 "Network Error": dial tcp 127.0.0.1:389: getsockopt: connection refused
chrishoffman
on 10 Aug 2017
Thanks for the reply, after starting over again to provide you with the commands I used i recognized that I simply had a typo in the name, after correcting this all works fine now :-)
Sorry for the confusion. I think it would be good if this could be added to the docs at https://www.vaultproject.io/docs/auth/ldap.html how to mount a second ldap (or multiple auth providers of the same type) the docs at https://www.vaultproject.io/docs/auth/index.html mention that it is possible but it takes me some searching around throu bugs and mailing-list entries to find out how it is supposed to work.
laeubi
on 10 Aug 2017
My apologies for reviving an old thread, but I'm trying to implement a secondary LDAP authentication backend for my company's implementation of Vault. When authenticating to Vault, how would a user specify which backend to use if both backends are LDAP?
callafeucht
on 22 Jan 2018
You simply mount the Backend at different paths (eg. one at ldap1 and one at ldap2), after that you can login with both by replace all examples /ldap/ path with /ldap1/ or /ldap2/ eg. the login URL would then be (see https://www.vaultproject.io/docs/auth/ldap.html#via-the-api) $VAULT_ADDR/v1/auth/ldap1/login/username and $VAULT_ADDR/v1/auth/ldap2/login/username
This worked for me without a problem except that at the time I tried it out the CLI was not able to use non-standard path and the java-lib I used has no support for it. But because you can simply issue generic write requests you can circumvent this, it is just not that convenient to have backends mounted at non standard path.
laeubi
on 23 Jan 2018
Right, so you can only authenticate using the API then, not the CLI -- that's all I needed to confirm. Thank you!
callafeucht
on 23 Jan 2018
@callafeucht You can use the CLI, Just set the mount parameter to whatever the mount name is. e.g. for auth/myldap the mount would be myldap.
jefferai
on 23 Jan 2018
@jefferai thanks -- I'm not familiar with the mount parameter. Is this a param passed when configuring the authentication backend, or when authenticating with the CLI? I've already configured the backend with the -path argument, and when I tried to use the specific name of the authentication backend (i.e. vault auth -method=ldap2 username=lalala), the command failed with Unknown authentication method: ldap2.
callafeucht
on 23 Jan 2018
The method is ldap -- that's how the auth command knows which CLI auth plugin to run. So I believe it would be vault auth -method=ldap mount=ldap2 username=lalala.
jefferai
on 23 Jan 2018
Beautiful, thank you! That's precisely what I needed. 馃帀
callafeucht
on 23 Jan 2018
Related issues
sochoa
路
39Comments
dreamcat4
路
77Comments
emk
路
79Comments
tamalsaha
路
34Comments
jaxley
路
36Comments
Most helpful comment
Can you provide the exact commands you are running? Although I do not currently have an LDAP server to test with, I do get the expected error without a running LDAP server. The error you are receiving would come earlier than the error I am seeing.