The documentation for configuring the LDAP authenticator for groups is incomplete. How can I pull in LDAP groups and map them to conjur groups in the policy? I am specifically referring to step 4 at the link: Configure LDAP Authentication
I have a LDAP group named conjur-users and when I attempt to map and load this group in the policy I receive the error:
Error: 422 Unprocessable Content. Group ‘‘conjur-users’’ not found in account
‘‘myConjurAccount’’
Hi,
It sounds like the yaml is referencing “conjur-users” somewhere but the policy parser can’t find it. Can you please post your yaml so we can see what may be missing?
Here is the templated policy.
- !policy
id: my-ldap-server
body:-
!host
-
!webservice
owner: !host
annotations:
ldap-authn/base_dn: {{ ldap_base_rdn_people }},dc={{ my_domain | split(“.”) | first }},dc={{ my_domain | split(“.”) | last }}
ldap-authn/bind_dn: cn={{ conjur_user }},{{ ldap_base_rdn_people }},dc={{ my_domain | split(“.”) | first }},dc={{ my_domain | split(“.”) | last }}
ldap-authn/connect_type: tls
ldap-authn/host: {{ inventory_hostname }}
ldap-authn/port: 636
ldap-authn/filter_template: (&(objectClass=person)(uid=%s)) -
!group conjur-users
-
!permit
role: !group conjur-users
privilege: [ read, authenticate ]
resource: !webservice -
!variable
id: bind-password
owner: !host -
!variable
id: tls-ca-cert
owner: !host
-
Here is the grant policy. This is the one that fails with error I posted above.
!grant
role: !group my-ldap-server/conjur-users
member: !group /conjur-users
How does this configuration alone provide the necessary configuration to inform Conjur what the search base is for the OU the group is in in the LDAP tree? Also, there are different types of group objects/schemas possible in LDAP. How does this configuration work when the group in question is of type objectclass groupOfUniqueNames where uniqueMember is the attribute in LDAP defining membership?
I see where you define the conjur-users group under the my-ldap-server policy, but are you sure there’s also a conjur-users group in the root policy - which is referenced in member: !group /conjur-users?