← Back to OpenLDAP Docker

HashiCorp Vault LDAP Authentication

Configure HashiCorp Vault to authenticate users against OpenLDAP using the LDAP auth method with policy-driven access control.

Docker Compose

Download and start the stack:

wget https://raw.githubusercontent.com/VibhuviOiO/infinite-containers/main/openldap/docker-compose-vault.yml -O docker-compose.yml

Environment Configuration

Create .env.vibhuvioio:

LDAP_DOMAIN=vibhuvioio.com
LDAP_ADMIN_PASSWORD=changeme

Start Services

docker compose up -d

Verify LDAP Base Tree

docker exec openldap-vibhuvioio ldapsearch -x -LLL -b dc=vibhuvioio,dc=com

Expected: ou=People and ou=Group

Create LDAP Groups

Create groups.ldif:

dn: cn=vault-users,ou=Group,dc=vibhuvioio,dc=com
objectClass: groupOfNames
cn: vault-users
member: cn=Manager,dc=vibhuvioio,dc=com

dn: cn=vault-admins,ou=Group,dc=vibhuvioio,dc=com
objectClass: groupOfNames
cn: vault-admins
member: cn=Manager,dc=vibhuvioio,dc=com

Import:

docker exec -i openldap-vibhuvioio ldapadd \
  -x -D "cn=Manager,dc=vibhuvioio,dc=com" -w changeme \
  -f /dev/stdin < groups.ldif

Create Test User

Create testuser.ldif:

dn: cn=testuser,ou=People,dc=vibhuvioio,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: testuser
userPassword: password
description: Vault Test User

Import:

docker exec -i openldap-vibhuvioio ldapadd \
  -x -D "cn=Manager,dc=vibhuvioio,dc=com" -w changeme \
  -f /dev/stdin < testuser.ldif

Verify LDAP Authentication

docker exec openldap-vibhuvioio ldapwhoami \
  -x \
  -D "cn=testuser,ou=People,dc=vibhuvioio,dc=com" \
  -w password

Expected: dn:cn=testuser,ou=People,dc=vibhuvioio,dc=com

Add User to Group

docker exec -i openldap-vibhuvioio ldapmodify \
  -x -D "cn=Manager,dc=vibhuvioio,dc=com" -w changeme <<EOF
dn: cn=vault-users,ou=Group,dc=vibhuvioio,dc=com
changetype: modify
add: member
member: cn=testuser,ou=People,dc=vibhuvioio,dc=com
EOF

Configure Vault LDAP Authentication

Enter the Vault container:

docker exec -it vault sh

Set environment:

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root

Enable LDAP auth:

vault auth enable ldap

Configure LDAP connection:

vault write auth/ldap/config \
  url="ldap://openldap-vibhuvioio:389" \
  binddn="cn=Manager,dc=vibhuvioio,dc=com" \
  bindpass="changeme" \
  userdn="ou=People,dc=vibhuvioio,dc=com" \
  groupdn="ou=Group,dc=vibhuvioio,dc=com" \
  userattr="cn" \
  groupattr="cn" \
  groupfilter="(&(objectClass=groupOfNames)(member={{.UserDN}}))"

Create Vault Policy

vault policy write vault-user - <<EOF
path "secret/data/*" {
  capabilities = ["read"]
}
EOF

Map LDAP group to policy: 
vault write auth/ldap/groups/vault-users \
  policies=vault-user

Store a Test Secret

vault kv put secret/demo message="LDAP auth working"

Exit container: 
exit

Login via Vault UI

Open http://localhost:8200
  1. 1 Select LDAP auth method
  2. 2 Username: testuser
  3. 3 Password: password
  4. 4 Navigate to: Secrets → secret → demo
You should see the stored secret.

Architecture

This demonstrates a policy-driven LDAP authentication flow:
  • LDAP groups map to Vault policies
  • Users authenticate via LDAP bind
  • Access is controlled by group membership
  • Suitable for enterprise environments