LDAP Authentication & MFA¶
LDAP authentication is suited to environments where users authenticate against Active Directory or another LDAP directory, optionally with multi-factor authentication.
Configuration¶
vault:
address: "https://vault.example.com:8200"
auth_method: "ldap"
auth_mount: "ldap" # optional, defaults to the method name
How it works¶
CLI mode¶
- dotvault prompts for a password in the terminal (using secure input that doesn't echo characters)
- The credentials are submitted to Vault's LDAP auth method
- If MFA is required, dotvault handles the challenge (see below)
- On success, a Vault token is issued
Web UI mode¶
- User enters their username and password in the web UI login form
- The web UI submits credentials to the dotvault API
- MFA challenges are presented in the browser
- On success, the daemon receives the Vault token
Multi-factor authentication¶
dotvault supports MFA via Vault's identity-based MFA system. Two MFA types are supported:
Duo Push¶
When Duo MFA is configured, Vault sends a push notification to the user's registered Duo device. dotvault polls for the result automatically.
In CLI mode, you'll see:
TOTP¶
For TOTP-based MFA (e.g. Google Authenticator, Authy), dotvault prompts for the one-time passcode:
In CLI mode:
In web UI mode, a TOTP input field appears in the browser.
Login state machine¶
The LDAP login flow is managed by an asynchronous state machine (the LoginTracker) that transitions through the following states:
This allows the web UI to poll for status updates while the MFA flow completes. In CLI mode, the same state machine is used but polled at 500ms intervals internally.
Vault-side LDAP setup¶
The LDAP auth method must be configured in Vault:
-
Enable the LDAP auth method:
-
Configure the LDAP connection:
-
Map LDAP groups to Vault policies:
For detailed Vault LDAP configuration, see the HashiCorp LDAP Auth Method documentation.