Simple Hashicorp Vault LDAP Setup with docker
All the code can be found on my Github.
Intro
For a client i am working with i sometimes need a LDAP Setup which is decoupled from the companies own LDAP / AD system.
There is a generel problem when testing stuff like this, because those teams are usually very packed with tasks and it takes time to get a meeting with them.
To not waste my time with some email pingpong or week-long waiting for email answers, i made a LDAP Setup with docker, which can be easily be used for working with Hashicorp Vault and test the connectivity.
The LDAP Setup
To not crash out my local environment i will use docker for this whole setup.
We will create a really basic organization, with a dev and an ops group.
There will be 6 people in the organization:
- admin (which will be used as the bind user)
- adam (which will be part of the dev and the ops group)
- bob (which will be part of the dev group)
- claire (which will be part of the dev group)
- denise (which will be part of the ops group)
- enja (which will be part of the ops group)
The admin will get the password "admin_password" and all other people will get "adminpw" as their password.
Here is the complete setup script:
#!/bin/bash
set -e # Exit on error
echo "Creating necessary directories..."
rm -rf ldap slapd.d
mkdir -p ldap slapd.d
echo "Creating LDAP configuration files..."
# Create structure.ldif for base structure
cat > structure.ldif << 'EOL'
# Create organizational units
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
EOL
# Create users-and-groups.ldif
cat > users-and-groups.ldif << 'EOL'
# Create dev group
dn: cn=dev,ou=groups,dc=example,dc=com
objectClass: groupOfNames
cn: dev
member: uid=adam,ou=people,dc=example,dc=com
member: uid=bob,ou=people,dc=example,dc=com
member: uid=claire,ou=people,dc=example,dc=com
# Create ops group
dn: cn=ops,ou=groups,dc=example,dc=com
objectClass: groupOfNames
cn: ops
member: uid=adam,ou=people,dc=example,dc=com
member: uid=denise,ou=people,dc=example,dc=com
member: uid=enja,ou=people,dc=example,dc=com
# Create users
dn: uid=adam,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: adam
cn: Adam
sn: Smith
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/adam
userPassword: adminpw
dn: uid=bob,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: bob
cn: Bob
sn: Johnson
uidNumber: 10001
gidNumber: 10000
homeDirectory: /home/bob
userPassword: adminpw
dn: uid=claire,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: claire
cn: Claire
sn: Williams
uidNumber: 10002
gidNumber: 10000
homeDirectory: /home/claire
userPassword: adminpw
dn: uid=denise,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: denise
cn: Denise
sn: Brown
uidNumber: 10003
gidNumber: 10000
homeDirectory: /home/denise
userPassword: adminpw
dn: uid=enja,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: enja
cn: Enja
sn: Garcia
uidNumber: 10004
gidNumber: 10000
homeDirectory: /home/enja
userPassword: adminpw
EOL
# Create acl.ldif
cat > acl.ldif << 'EOL'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=example,dc=com" write by * read
EOL
echo "Starting OpenLDAP container..."
docker run -d \
--name openldap \
-p 389:389 \
-p 636:636 \
-e LDAP_ORGANISATION="Example Inc" \
-e LDAP_DOMAIN="example.com" \
-e LDAP_BASE_DN="dc=example,dc=com" \
-e LDAP_ADMIN_PASSWORD="admin_password" \
-v $(pwd)/ldap:/var/lib/ldap \
-v $(pwd)/slapd.d:/etc/ldap/slapd.d \
osixia/openldap:latest
echo "Waiting for OpenLDAP to start..."
sleep 5
echo "Copying configuration files to container..."
docker cp structure.ldif openldap:/tmp/structure.ldif
docker cp users-and-groups.ldif openldap:/tmp/users-and-groups.ldif
docker cp acl.ldif openldap:/tmp/acl.ldif
echo "Adding base structure..."
docker exec openldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin_password -f /tmp/structure.ldif
echo "Adding users and groups..."
docker exec openldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin_password -f /tmp/users-and-groups.ldif
echo "Configuring ACLs..."
docker exec openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acl.ldif
echo "Testing admin access..."
docker exec openldap ldapsearch -x -D "cn=admin,dc=example,dc=com" -w admin_password -b "dc=example,dc=com" "(objectclass=*)"
echo "Testing user (Adam) access..."
docker exec openldap ldapsearch -x -D "uid=adam,ou=people,dc=example,dc=com" -w adminpw -b "dc=example,dc=com" "(objectclass=*)"
echo "Setup complete!"
echo "You can now connect to LDAP on localhost:389"
echo "Admin DN: cn=admin,dc=example,dc=com"
echo "Admin password: admin_password"
echo "Sample user DN: uid=adam,ou=people,dc=example,dc=com"
echo "Sample user password: adminpw"
The Docker Networking
Just a quick network setup so the openldap container and the docker container can talk to another.
#!/bin/bash
set -e # Exit on error
echo "Creating Docker network..."
docker network create ldap-demo || true
echo "Connecting OpenLDAP to network..."
docker network connect ldap-demo openldap || true
echo "Network setup complete!"
The Hashicorp Vault Setup
To not mess with a production Vault i will also use the quick and dirty Vault container setup.
We will create the container and then use the Hashicorp Vault API to configure the ldap auth mount.
After that we will create some polices for dev & ops for full access under secret/data/{dev, ops} and access to the corresponding metadata.
Watch out when using the following code that you insert instead of ldap://172.21.0.2:389 you use the IP of the openldap container of your setup.
#!/bin/bash
set -e # Exit on error
echo "Starting Vault container..."
docker run -d \
--name vault \
--cap-add=IPC_LOCK \
--network ldap-demo \
-p 8200:8200 \
-e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
-e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
hashicorp/vault:latest
echo "Waiting for Vault to start..."
sleep 5
# Set Vault address and token for CLI
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'
echo "Enabling LDAP auth method..."
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/sys/auth/ldap <<EOF
{
"type": "ldap"
}
EOF
echo "Configuring LDAP auth method..."
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/auth/ldap/config <<EOF
{
"url": "ldap://172.21.0.2:389",
"userdn": "ou=people,dc=example,dc=com",
"groupdn": "ou=groups,dc=example,dc=com",
"groupfilter": "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))",
"userattr": "uid",
"binddn": "cn=admin,dc=example,dc=com",
"bindpass": "admin_password",
"starttls": false
}
EOF
echo "Creating enhanced policies..."
# Create dev policy with full access to data and metadata
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request PUT \
--data @- \
${VAULT_ADDR}/v1/sys/policies/acl/dev <<EOF
{
"path \"secret/data/dev/*\" {\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\n\npath \"secret/metadata/dev/*\" {\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}"
}
EOF
# Create ops policy with full access to data and metadata
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request PUT \
--data @- \
${VAULT_ADDR}/v1/sys/policies/acl/ops <<EOF
{
"path \"secret/data/ops/*\" {\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\n\npath \"secret/metadata/ops/*\" {\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}"
}
EOF
echo "Mapping LDAP groups to policies..."
# Map dev group to dev policy
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/auth/ldap/groups/dev <<EOF
{
"policies": ["dev"]
}
EOF
# Map ops group to ops policy
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/auth/ldap/groups/ops <<EOF
{
"policies": ["ops"]
}
EOF
echo "Setup complete!"
echo "Testing LDAP authentication with adam (member of both groups)..."
VAULT_TOKEN=$(curl \
--request POST \
--data @- \
${VAULT_ADDR}/v1/auth/ldap/login/adam <<EOF | jq -r '.auth.client_token'
{
"password": "adminpw"
}
EOF
)
echo "Retrieved token: $VAULT_TOKEN"
echo "Testing token capabilities..."
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
${VAULT_ADDR}/v1/sys/capabilities-self \
--request POST \
--data @- <<EOF
{
"paths": [
"secret/data/dev/test",
"secret/metadata/dev/test",
"secret/data/ops/test",
"secret/metadata/ops/test"
]
}
EOFFilling Hashicorp Vault with dummy data
Just a filler script to dump some stuff into the secrets KV Engine, some into dev & some into ops.
#!/bin/bash
set -e # Exit on error
# Set Vault address and token
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'
echo "Enabling KV secrets engine..."
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/sys/mounts/secret <<EOF
{
"type": "kv",
"options": {
"version": "2"
}
}
EOF
echo "Adding dev secrets..."
# Development API keys
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/secret/data/dev/api-keys <<EOF
{
"data": {
"development_api_key": "dev_api_12345",
"staging_api_key": "stage_api_67890",
"test_database_url": "postgresql://dev-db:5432/testdb"
}
}
EOF
# Development config
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/secret/data/dev/config <<EOF
{
"data": {
"app_debug_mode": "true",
"log_level": "DEBUG",
"max_connections": "100",
"feature_flags": {
"new_ui": true,
"beta_features": true
}
}
}
EOF
echo "Adding ops secrets..."
# Operations credentials
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/secret/data/ops/credentials <<EOF
{
"data": {
"production_db_password": "prod_db_pass_123",
"monitoring_token": "mon_token_456",
"backup_service_key": "backup_789"
}
}
EOF
# Operations config
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/secret/data/ops/config <<EOF
{
"data": {
"backup_schedule": "0 2 * **",
"monitoring_endpoints": [
"https://monitor1.example.com",
"https://monitor2.example.com"
],
"alert_thresholds": {
"cpu_usage": 80,
"memory_usage": 90,
"disk_usage": 85
}
}
}
EOF
# Deployment information
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @- \
${VAULT_ADDR}/v1/secret/data/ops/deployment <<EOF
{
"data": {
"kubernetes_api_token": "k8s_token_xyz",
"docker_registry_credentials": {
"username": "deployment_user",
"password": "deploy_pass_321"
},
"deployment_hooks": {
"pre_deploy": "health_check.sh",
"post_deploy": "notify_team.sh"
}
}
}
EOFTesting the access to the KV store
We will use adams credentials to login via the API and retrieve some data.
# Retrieve the Token and store it as a TOKEN variable
TOKEN=$(curl \
--request POST \
--data '{"password": "adminpw"}' \
http://127.0.0.1:8200/v1/auth/ldap/login/adam | jq -r '.auth.client_token')
# Use the token to get some data from secret/data/dev/api-keys
curl \
--header "X-Vault-Token: $TOKEN" \
http://127.0.0.1:8200/v1/secret/data/dev/api-keys
The response would be in this case:
{"request_id":"efd1512a-5343-a847-5590-b48677d39d76","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"development_api_key":"dev_api_12345","staging_api_key":"stage_api_67890","test_database_url":"postgresql://dev-db:5432/testdb"},"metadata":{"created_time":"2024-11-27T12:43:56.902958426Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null,"mount_type":"kv"}