Various LdapErr errors when trying to use LDAP as auth backend

[lourot]

TL;DR

When trying (tried with other combinations of arguments as well)

$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" insecure_tls=false starttls=false
$ vault auth -method=ldap username=lourot

we get LdapErr errors like

* LDAP bind failed: LDAP Result Code 49 "Invalid Credentials": 8009030C: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 2030, v2580

We are aware of #546 (Rewrite LDAP backend), whose "urgency has fallen off". This issue recommends creating separate LDAP-related issues.

Details

Our LDAP server can be easily queried anonymously with

$ ldapsearch -x -h ldap.mycompany.com:389 -b "CN=Aurelien Lourot,OU=MC,OU=Employees,O=MyCompany,C=Global"
[...]
dn: CN=Aurelien Lourot,OU=MC,OU=Employees,O=MyCompany,C=Global
[...]
cn: Aurelien Lourot
[...]
distinguishedName: CN=Aurelien Lourot,OU=MC,OU=Employees,O=MyCompany,C=Global
[...]
displayName: lourot
[...]
name: Aurelien Lourot
[...]
sAMAccountName: lourot
[...]
sn: Lourot
[...]
uid: lourot
[...]

And we already use it to authenticate in services other than Vault, e.g. in Artifactory with the following settings:

ldapUrl: ldap://ldap.mycompany.com:389/OU=Employees,O=MyCompany,C=Global?sAMAccountName?sub?(objectClass=*)
anonAccessEnabled: true
encryptionPolicy: supported
searchFilter: uid={0}
searchBase: 
searchSubTree: true

Now when trying to use it as Vault auth backend, we get:

$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" insecure_tls=false starttls=false
Success! Data written to: auth/ldap/config
$ vault auth -method=ldap username=lourot
Password (will be hidden): 
Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/ldap/login/lourot
Code: 400. Errors:

* LDAP bind failed: LDAP Result Code 49 "Invalid Credentials": 8009030C: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 2030, v2580

Same with insecure_tls=false starttls=false userattr=sAMAccountName, insecure_tls=true starttls=false userattr=sAMAccountName and insecure_tls=false starttls=false userdn="dc=mycompany,dc=com" userattr=sAMAccountName.

Now if we use discoverdn=true without userdn, which we think makes more sense as we want Vault to query LDAP anonymously, we get another LdapErr:

$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" insecure_tls=false starttls=false discoverdn=true
Success! Data written to: auth/ldap/config
$ vault auth -method=ldap username=lourot
Password (will be hidden): 
Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/ldap/login/lourot
Code: 400. Errors:

* LDAP search for binddn failed: LDAP Result Code 32 "No Such Object": 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
    ''

Same with insecure_tls=false starttls=false discoverdn=true userattr=uid, insecure_tls=false starttls=false discoverdn=true userattr=sAMAccountName and ldap://ldap.mycompany.com:389/OU=Employees,O=MyCompany,C=Global as URL.

Now using ldaps:// instead of ldap://, it fails even earlier:

$ vault write auth/ldap/config url="ldaps://ldap.mycompany.com:389" insecure_tls=false starttls=false
Error writing data to auth/ldap/config: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/ldap/config
Code: 400. Errors:

* cannot connect to LDAP: LDAP Result Code 200 "": EOF

Or using starttls=true userattr=sAMAccountName as well it fails early with another LdapErr:

$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" insecure_tls=false starttls=true userattr=sAMAccountName
Error writing data to auth/ldap/config: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/ldap/config
Code: 400. Errors:

* cannot connect to LDAP: LDAP Result Code 52 "Unavailable": ldap: cannot StartTLS (00000000: LdapErr: DSID-0C090FAA, comment: Error initializing SSL/TLS, data 0, v2580)

Same with insecure_tls=true.

To us, the combination of arguments that makes most sense would be:

$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" insecure_tls=false starttls=false discoverdn=true userattr=sAMAccountName

But as said we get No Such Object. Any ideas? Thanks a lot.

@sarahalim @maikelvdh @martinm82 @wiorka

[jefferai]

Hi,

I recommend looking at the documentation at https://www.vaultproject.io/docs/auth/ldap.html -- you are not setting any configuration parameters, so it's unsurprising that it fails to find accounts. You can use vault path-help or take a look at https://github.com/hashicorp/vault/blob/master/builtin/credential/ldap/path_config.go to see the full set of parameters. At a very minimum I'd expect userdn, such as the one you're using with Artifactory.

[lourot]

Hi @jefferai,

thank you so much. We knew about the documentation but your link to path_config.go was exactly what we needed. We got it working:

$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" userdn="OU=Employees,O=MyCompany,C=Global" discoverdn=true userattr=sAMAccountName
$ vault write auth/ldap/groups/"MyCompany Employees" policies=root
$ vault auth -method=ldap username=lourot
Password (will be hidden): 
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: ********
token_duration: 0
token_policies: [root]