@sjohnkennedy, the way the DAP LDAP integration works is as follows:
- Setup the ldap sync integration
- Using the LDAP sync, generate a policy with users/groups defined
- Load the policy
- Enable authn-ldap to then authenticate with ldap username/password
Management of users still requires you to load policy. Additionally, since the users must be loaded into root you have some decisions to make with regards to policy management practices. You must also maintain the user in the DAP database, as depending on how you handle policy management, you might be in a situation where you have to load delete policies to remove users. Finally, the CorePAS LDAP integration is far more feature rich, supporting multiple types of MFA, automatically removing users when they are removed from LDAP, automatically adding users when they log in, PSM and PSMP workflows, check-out/check-in workflows, etc. In short, for your interactive user sessions you are much better served leveraging the CorePAS features.
Finally, to clarify @boazmichaely’s comment, the Vault Conjur Synchronizer does not currently bring over any policy or safe ACL information from CorePAS. This is built on the DAP side independently. The Synchronizer does build a policy structure in DAP that allows you to easily delegate policy management to application teams who can define DAP hosts that can fetch secrets. Any secrets management work required by the app team should still be done on the CorePAS side though and rely on the Synchronizer to replicate those changes to DAP (e.g. secrets on boarding and rotation, new safe creation, etc.)
Regards,
Nate