The Infisical LDAP dynamic secret allows you to generate user credentials on demand via LDAP. The integration is general to any LDAP implementation but has been tested with OpenLDAP and Active directory as of now.

Prerequisites

  1. Create a user with the necessary permissions to create users in your LDAP server.
  2. Ensure your LDAP server is reachable via Infisical instance.

Create LDAP Credentials

1

Open Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.

2

Click on the 'Add Dynamic Secret' button

3

Select 'LDAP'

4

Provide the inputs for dynamic secret parameters

Secret Name
string
required

Name by which you want the secret to be referenced

Default TTL
string
required

Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)

Max TTL
string
required

Maximum time-to-live for a generated secret.

URL
string
required

LDAP url to connect to. (Example: ldap://your-ldap-ip:389 or ldaps://domain:636)

BIND DN
string
required

DN to bind to. This should have permissions to create a new users.

BIND Password
string
required

Password for the given DN.

CA
text

CA certificate to use for TLS in case of a secure connection.

Credential Type
enum

The type of LDAP credential - select Dynamic.

Creation LDIF
text
required

LDIF to run while creating a user in LDAP. This can include extra steps to assign the user to groups or set permissions. Here {{Username}}, {{Password}} and {{EncodedPassword}} are templatized variables for the username and password generated by the dynamic secret.

{{EncodedPassword}} is the encoded password required for the unicodePwd field in Active Directory as described here.

OpenLDAP Example:

dn: uid={{Username}},dc=infisical,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: John Doe
sn: Doe
uid: jdoe
mail: [email protected]
userPassword: {{Password}}

Active Directory Example:

dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userPrincipalName: {{Username}}@infisical.com
sAMAccountName: {{Username}}
unicodePwd::{{EncodedPassword}}
userAccountControl: 66048

dn: CN=test-group,OU=Test Create,DC=infisical,DC=com
changetype: modify
add: member
member:  CN={{Username}},OU=Test Create,DC=infisical,DC=com
-
Revocation LDIF
text
required

LDIF to run while revoking a user in LDAP. This can include extra steps to remove the user from groups or set permissions. Here {{Username}} is a templatized variable for the username generated by the dynamic secret.

OpenLDAP / Active Directory Example:

dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
changetype: delete
Rollback LDIF
text

LDIF to run incase Creation LDIF fails midway.

For the creation example shown above, if the user is created successfully but not added to a group, this LDIF can be used to remove the user. Here {{Username}}, {{Password}} and {{EncodedPassword}} are templatized variables for the username generated by the dynamic secret.

OpenLDAP / Active Directory Example:

dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
changetype: delete
Username Template
string
default:"{{randomUsername}}"

Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.

Allowed template variables are

  • {{randomUsername}}: Random username string
  • {{unixTimestamp}}: Current Unix timestamp
  • {{identity.name}}: Name of the identity that is generating the secret
  • {{random N}}: Random string of N characters

Allowed template functions are

  • truncate: Truncates a string to a specified length
  • replace: Replaces a substring with another value

Examples:

{{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
{{unixTimestamp}}                               // 17490641580
{{identity.name}}                               // testuser
{{random-5}}                                    // x9k2m
{{truncate identity.name 4}}                    // test
{{replace identity.name 'user' 'replace'}}      // testreplace
5

Click `Submit`

After submitting the form, you will see a dynamic secret created in the dashboard.

6

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.

When generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.

Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.

Once you click the Submit button, a new secret lease will be generated and the credentials from it will be shown to you with an array of DN’s altered depending on the Creation LDIF.

Active Directory Integration

  • Passwords in Active Directory are set using the unicodePwd field. This must be proceeded by two colons :: as shown in the example. Source
  • Active directory uses the userAccountControl field to enable account. Read More
    • userAccountControl set to 512 enables a user.
    • To disable AD’s password expiration for this dynamic user account. The userAccountControl value for this is: 65536.
    • Since userAccountControl flag is cumulative set it to 512 + 65536 = 66048 to do both.
  • Active Directory does not permit direct modification of a user’s memberOf attribute. The member attribute of a group and the memberOf attribute of a user are linked attributes, where the member attribute represents the forward link, which can be modified. In the context of AD group membership, the group’s member attribute serves as the forward link. Therefore, to add a newly created dynamic user to a group, a modification request must be issued to the desired group, updating its membership to include the new user.

LDIF Entries

User account management is handled through LDIF entries.

Things to Remember

  • No trailing spaces: Ensure there are no trailing spaces on any line, including blank lines.
  • Empty lines before modify blocks: Every modify block must be preceded by an empty line.
  • Multiple modifications: You can define multiple modifications for a DN within a single modify block. Each modification should end with a single dash (-).