LDAP login not writing token to file

[yakatz]

Describe the bug
We log in with vault login -method=ldap and we use Duo MFA. Recently it seems that logging in like this has stopped writing the token to the ~/.vault-token file, so additional vault operations do not complete. If I log into the Vault web interface, copy my token and use that with vault login, the file is written properly.

To Reproduce
Steps to reproduce the behavior:

1. Run vault login -method=ldap
2. Enter password and approve MFA push
3. Try to use any other vault commands and get 403 error, see that ~/.vault-token is missing.

Expected behavior
The file ~/.vault-token should be written with the token received from the LDAP login

Environment:

• Vault Server Version (retrieve with vault status): 1.12.1 (installed with Yum)
• Vault CLI Version (retrieve with vault version): Vault v1.12.0 (558abfa75702b5dab4c98e86b802fb9aef43b0eb), built 2022-10-10T18:14:33Z
• Server Operating System/Architecture: Redhat 7.9

Vault server configuration file(s):

Service started with /usr/bin/vault server -config=/etc/vault/config.json

{
  "listener": [
    {
      "tcp": {
        "address": ":8200",
        "tls_cert_file": "/etc/ssl/vault/vault.example.com.crt",
        "tls_key_file": "/etc/ssl/vault/vault.example.com.key"
      }
    }
  ],
  "storage": {
    "mysql": {
      "address": "mysql.example.com",
      "database": "vault",
      "table": "vaultdata",
      "username": "username",
      "password": "password"
    }
  },
  "ui": true
}

[mpalmi]

Thanks for the report @yakatz! This was a known issue in prior versions of Vault and was supposed to be fixed by #17040. Are you seeing this issue when using the 1.12.1 Vault CLI as well?

[yakatz]

Thanks, that does fix it.

I thought I was on the most recent version available for Ubuntu because apt didn't show there was an update on the client machines, but when I cleared the apt cache, it showed up.