From c23b5bf1e614e54c7e0a4db2227cb7a38fc6d896 Mon Sep 17 00:00:00 2001 From: Hanno Hecker Date: Wed, 27 Jan 2016 09:25:05 +0100 Subject: [PATCH] samaccountname as login example --- website/source/docs/auth/ldap.html.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/website/source/docs/auth/ldap.html.md b/website/source/docs/auth/ldap.html.md index f4cf12db27..637a0abca6 100644 --- a/website/source/docs/auth/ldap.html.md +++ b/website/source/docs/auth/ldap.html.md @@ -107,7 +107,21 @@ OUs like ou=people ou=external ou=robots ``` you can also specify a `binddn` and `bindpass` for vault to search for the DN -of a user. +of a user. This also works for the AD where a typical setup is to have user +DNs in the form `cn=Firstname Lastname,ou=Users,dc=example,dc=com` but you +want to login users using the `sAMAccountName` attribute. For that specify +``` +$ vault write auth/ldap/config url="ldap://ldap.forumsys.com" \ + userattr=sAMAccountName \ + userdn="ou=users,dc=example,dc=com" \ + groupdn="dc=example,dc=com" \ + binddn="cn=vault,ou=users,dc=example,dc=com" \ + bindpass='My$ecrt3tP4ss' \ + certificate=@ldap_ca_cert.pem \ + insecure_tls=false \ + starttls=true +... +``` Next we want to create a mapping from an LDAP group to a Vault policy: