{"id":15686259,"url":"https://github.com/developer-guy/vault-ldap-authentication-method","last_synced_at":"2025-05-07T18:23:55.425Z","repository":{"id":81435726,"uuid":"335064915","full_name":"developer-guy/vault-ldap-authentication-method","owner":"developer-guy","description":"Demonstration how you can use the Vault LDAP Authentication with the OpenLDAP Server that is running on docker container","archived":false,"fork":false,"pushed_at":"2021-02-03T08:25:37.000Z","size":205,"stargazers_count":10,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-31T12:58:05.085Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/developer-guy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-01T19:45:27.000Z","updated_at":"2025-01-12T10:19:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"b2bf7e90-7bf7-405f-ab27-13e791dcd82e","html_url":"https://github.com/developer-guy/vault-ldap-authentication-method","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fvault-ldap-authentication-method","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fvault-ldap-authentication-method/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fvault-ldap-authentication-method/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fvault-ldap-authentication-method/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/developer-guy","download_url":"https://codeload.github.com/developer-guy/vault-ldap-authentication-method/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252932385,"owners_count":21827289,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-03T17:37:06.760Z","updated_at":"2025-05-07T18:23:55.394Z","avatar_url":"https://github.com/developer-guy.png","language":"Shell","readme":"# Description\nDemonstration how you can use the Vault LDAP Authentication with the OpenLDAP Server that is running on docker container\n\n# What is Vault LDAP Auth Method ?\n\nThe ldap auth method allows authentication using an existing LDAP server and user/password credentials. This allows Vault to be integrated into environments using LDAP without duplicating the user/pass configuration in multiple places.\n\nThe mapping of groups and users in LDAP to Vault policies is managed by using the users/ and groups/ paths.\n\n\u003e Credit: https://www.vaultproject.io/docs/auth/ldap\n\n# What is OpenLDAP project ?\n\nThe OpenLDAP Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of applications and development tools. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenLDAP Suite and its related documentation.\n\n\u003e Credit: https://www.openldap.org/project/\n\n# Prerequisites\n* docker 20.10.2\n\n# Hands-On\n\nThe main goal of this demo is we will get a valid token from Vault with our LDAP credentials. To do so, we are going run all of these tools that I mentioned above with a single docker-compose file. So, the only thing that we need is docker. \n\nLets look at our [docker-compose file](./docker-compose.yaml) to see what inside\n```yaml\nversion: '3.7'\nservices:\n  ldap_server:\n    image: osixia/openldap:1.4.0\n    command: [\"--copy-service\"]\n    environment:\n      LDAP_DOMAIN: developerguy.org\n      LDAP_ADMIN_PASSWORD: test1234\n      LDAP_BASE_DN: dc=developerguy,dc=org\n    ports:\n      - 389:389\n    volumes:\n      - \"./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom\"\n  ldap_server_admin:\n    image: osixia/phpldapadmin:0.9.0\n    ports:\n      - 8080:80\n    environment:\n      PHPLDAPADMIN_LDAP_HOSTS: ldap_server\n      PHPLDAPADMIN_HTTPS: 'false'\n  vault:\n    container_name: vault-container\n    image: hashicorp/vault:1.5.4\n    ports:\n      - 8200:8200\n    environment:\n      - VAULT_ADDR=http://127.0.0.1:8200\n      - VAULT_API_ADDR=http://127.0.0.1:8201\n    command: server -dev -dev-root-token-id=root\n    cap_add:\n      - IPC_LOCK\n```\n\nYou will notice that there is three container available inside of it, \"vault\", \"ldap server\" and \"ldap server admin\". You will also notice that there is bootstrap file available to be able to feed OpenLDAP server with data.\n\nLets' start this.\n```bash\n$ docker-compose up\ndocker-compose up\nFound existing alias for \"docker-compose up\". You should use: \"dcup\"\nStarting vault-ldap-authentication-method_ldap_server_1       ... done\nStarting vault-container                                      ... done\nStarting vault-ldap-authentication-method_ldap_server_admin_1 ... done\nAttaching to vault-container, vault-ldap-authentication-method_ldap_server_1, vault-ldap-authentication-method_ldap_server_admin_1\n...\n```\n\nThen go to your browser and open http://localhost:8080 and login with admin credentials\n![login_with_admin_credentials](./login_with_admin_credentials.png)\n\nYou should see the following schema in that page after the login.\n![following_schema](./following_schema.png)\n\n\u003e NOTE: There is a single user available within the [./ldip/bootstrap.ldif](./ldip/bootstrap.ldif) for our demo purpose.\n\nI prepared a script to login Vault with LDAP credentials, lets have a look at this.\n```bash\n#!/usr/bin/env bash\n\nset -e\n\n# set necessarry environment variables\nset_env(){\n  export VAULT_ADDR=\"http://localhost:8200\"\n  export VAULT_TOKEN=\"root\"\n}\n\n# enable LDAP auth method\nenble_ldap_auth_method(){\n  vault auth enable ldap\n}\n\n# configure LDAP auth method\nconfigure_ldap_auth_method(){\n  vault write auth/ldap/config \\\n   url=\"ldap://ldap_server:389\" \\\n   binddn=\"cn=admin,dc=developerguy,dc=org\" \\\n   bindpass=\"test1234\" \\\n   userdn=\"ou=Users,dc=developerguy,dc=org\" \\\n   userattr=\"cn\" \\\n   groupdn=\"ou=Groups,dc=developerguy,dc=org\" \\\n   groupattr=\"cn\" \\\n   insecure_tls=false\n}\n\n# create necesarry policy bindings\ncreate_policy_group_mapping(){\n  vault policy write only-read-to-foo ./policy.hcl\n  vault write auth/ldap/groups/Maintainers policies=only-read-to-foo\n}\n\n# login with ldap\nlogin(){\n echo \"Loginning with $@\"\n vault login -method=ldap username=\"$@\"\n}\n\nmain(){\n    set_env\n    enble_ldap_auth_method\n    configure_ldap_auth_method\n    create_policy_group_mapping\n    login \"$@\"\n}\n\n\nmain \"$@\"\n```\n\nIt needs only a username for the user that is going to be login, \"Batuhan Apaydin\" in this case.\n\nLets' run it.\n```bash\n$ sh main.sh \"Batuhan Apaydin\"\nPassword (will be hidden): \u003c-- 12345\nWARNING! The VAULT_TOKEN environment variable is set! This takes precedence\nover the value set by this command. To use the value set by this command,\nunset the VAULT_TOKEN environment variable or set it to the token displayed\nbelow.\n\nSuccess! You are now authenticated. The token information displayed below\nis already stored in the token helper. You do NOT need to run \"vault login\"\nagain. Future Vault requests will automatically use this token.\n\nKey                    Value\n---                    -----\ntoken                  s.onVUJ55PAZx6ubqglK1syzGP\ntoken_accessor         jtxsseanTs8OUr4sBNu3zp05\ntoken_duration         768h\ntoken_renewable        true\ntoken_policies         [\"default\" \"only-read-to-foo\"]\nidentity_policies      []\npolicies               [\"default\" \"only-read-to-foo\"]\ntoken_meta_username    Batuhan Apaydin\n```\n\nYou should see the similar output above and you are ready to login to Vault with this credentials.\n```bash\n$ vault login -method=token\nToken (will be hidden):  \u003c-- s.onVUJ55PAZx6ubqglK1syzGP\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-guy%2Fvault-ldap-authentication-method","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeveloper-guy%2Fvault-ldap-authentication-method","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-guy%2Fvault-ldap-authentication-method/lists"}