LDAP Authentication Configuration

LDAP authentication allows HashiCorp Vault to integrate with your existing Active Directory or LDAP infrastructure. This method is ideal for enterprise environments where user authentication should be centralized.

Configure LDAP Authentication

The following command configures LDAP to connect to your domain controller and establish the search parameters:

vault write auth/ldap/config \
  url="ldap://mydomaincontroller.mydomain.com:389" \
  userattr=sAMAccountName \
  userdn="dc=mydomain,dc=com" \
  groupdn="dc=mydomain,dc=com" \
  groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
  groupattr="cn" \
  upndomain="mydomain.com" \
  insecure_tls=false

Map LDAP Groups to Vault Policies

After configuring LDAP authentication, map your Active Directory groups to Vault policies:

vault write auth/ldap/groups/myvaultadgroup policies=myvaultpolicy

Userpass Authentication Management

Userpass authentication provides a simple username and password authentication method for HashiCorp Vault. This approach is perfect for smaller environments or when integrating with external identity providers isn’t feasible.

Create a New User

vault write auth/userpass/users/myusername password=mypassword policies=admins

Delete a User

vault delete auth/userpass/users/username

Change User Password

vault write auth/userpass/users/myusername password=mypassword

Create User with Random Password

For enhanced security, create users with randomly generated passwords and store them securely:

mypass="$(openssl rand -base64 16)"
echo -n $mypass | vault write secret/test password=-
vault write auth/userpass/users/test.user password=$mypass policies=admins
vault read -wrap-ttl=15m secret/test
mypass=""

Login with Userpass Authentication

Direct login with credentials:

vault auth -method=userpass username=myusername password=mypassword

Interactive login (prompts for password):

vault auth -method=userpass username=myusername

Certificate-Based Authentication

Certificate authentication provides a secure, automated way for systems and applications to authenticate with Vault using PEM certificates. This method is ideal for machine-to-machine authentication.

Create Authentication Certificate

Follow these steps to create a certificate for Vault authentication:

• Create a folder to store certificate files
• Create a cert.conf file with your certificate details
• Modify cert.conf to fill in all fields under the [dn] section

Generate the certificate and key files:

openssl req -config cert.conf -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
openssl rsa -in key.pem -out key.insecure.pem

Configure Vault for Certificate Authentication

Register your certificate with Vault (replace placeholder values with actual certificate details):

vault write auth/cert/certs/your.name \
  display_name="Your Name" \
  policies=policyname \
  [email protected] \
  ttl=3600

Authenticate Using Certificate

vault auth -method=cert -client-cert=cert.pem -client-key=key.pem

Token Authentication

Token authentication is the core authentication method in HashiCorp Vault. All other authentication methods eventually issue a token for accessing Vault’s API. Tokens can be used directly for programmatic access.

Direct Token Authentication

Authenticate with a known token:

vault auth <token>

Interactive token prompt:

vault auth

For comprehensive token management strategies, see our detailed guide on Managing HashiCorp Vault Tokens.