You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Now when trying to use it as Vault auth backend, we get:
$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" insecure_tls=false starttls=false
Success! Data written to: auth/ldap/config
$ vault auth -method=ldap username=lourot
Password (will be hidden):
Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/ldap/login/lourot
Code: 400. Errors:
* LDAP bind failed: LDAP Result Code 49 "Invalid Credentials": 8009030C: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 2030, v2580
Same with insecure_tls=false starttls=false userattr=sAMAccountName, insecure_tls=true starttls=false userattr=sAMAccountName and insecure_tls=false starttls=false userdn="dc=mycompany,dc=com" userattr=sAMAccountName.
Now if we use discoverdn=true without userdn, which we think makes more sense as we want Vault to query LDAP anonymously, we get another LdapErr:
$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" insecure_tls=false starttls=false discoverdn=true
Success! Data written to: auth/ldap/config
$ vault auth -method=ldap username=lourot
Password (will be hidden):
Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/ldap/login/lourot
Code: 400. Errors:
* LDAP search for binddn failed: LDAP Result Code 32 "No Such Object": 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
''
Same with insecure_tls=false starttls=false discoverdn=true userattr=uid, insecure_tls=false starttls=false discoverdn=true userattr=sAMAccountName and ldap://ldap.mycompany.com:389/OU=Employees,O=MyCompany,C=Global as URL.
Now using ldaps:// instead of ldap://, it fails even earlier:
$ vault write auth/ldap/config url="ldaps://ldap.mycompany.com:389" insecure_tls=false starttls=false
Error writing data to auth/ldap/config: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/ldap/config
Code: 400. Errors:
* cannot connect to LDAP: LDAP Result Code 200 "": EOF
Or using starttls=true userattr=sAMAccountName as well it fails early with another LdapErr:
$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" insecure_tls=false starttls=true userattr=sAMAccountName
Error writing data to auth/ldap/config: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/ldap/config
Code: 400. Errors:
* cannot connect to LDAP: LDAP Result Code 52 "Unavailable": ldap: cannot StartTLS (00000000: LdapErr: DSID-0C090FAA, comment: Error initializing SSL/TLS, data 0, v2580)
Same with insecure_tls=true.
To us, the combination of arguments that makes most sense would be:
thank you so much. We knew about the documentation but your link to path_config.go was exactly what we needed. We got it working:
$ vault write auth/ldap/config url="ldap://ldap.mycompany.com:389" userdn="OU=Employees,O=MyCompany,C=Global" discoverdn=true userattr=sAMAccountName
$ vault write auth/ldap/groups/"MyCompany Employees" policies=root
$ vault auth -method=ldap username=lourot
Password (will be hidden):
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: ********
token_duration: 0
token_policies: [root]
TL;DR
When trying (tried with other combinations of arguments as well)
we get
LdapErr
errors likeWe are aware of #546 (Rewrite LDAP backend), whose "urgency has fallen off". This issue recommends creating separate LDAP-related issues.
Details
Our LDAP server can be easily queried anonymously with
And we already use it to authenticate in services other than Vault, e.g. in Artifactory with the following settings:
Now when trying to use it as Vault auth backend, we get:
Same with
insecure_tls=false starttls=false userattr=sAMAccountName
,insecure_tls=true starttls=false userattr=sAMAccountName
andinsecure_tls=false starttls=false userdn="dc=mycompany,dc=com" userattr=sAMAccountName
.Now if we use
discoverdn=true
withoutuserdn
, which we think makes more sense as we want Vault to query LDAP anonymously, we get anotherLdapErr
:Same with
insecure_tls=false starttls=false discoverdn=true userattr=uid
,insecure_tls=false starttls=false discoverdn=true userattr=sAMAccountName
andldap://ldap.mycompany.com:389/OU=Employees,O=MyCompany,C=Global
as URL.Now using
ldaps://
instead ofldap://
, it fails even earlier:Or using
starttls=true userattr=sAMAccountName
as well it fails early with anotherLdapErr
:Same with
insecure_tls=true
.To us, the combination of arguments that makes most sense would be:
But as said we get
No Such Object
. Any ideas? Thanks a lot.@sarahalim @maikelvdh @martinm82 @wiorka
The text was updated successfully, but these errors were encountered: