LDAP search failed: LDAP Result Code 50 "Insufficient Access Rights"

[nordicmachine]

Describe the bug
Authenticating with the LDAP backend fails since the introduction of paging (see #7702). When attempting to login, the error "Insufficient Access Rights" is returned:

vault login -method=ldap username=user@example.com
Password (will be hidden): 
Error making API request.


URL: PUT https://vault.example.com/v1/auth/ldap/login/user@example.com
Code: 400. Errors:


* LDAP search failed: LDAP Result Code 50 "Insufficient Access Rights": 

To Reproduce
Steps to reproduce the behavior:

1. Configure a directory server to not permit paging
2. Configure Vault to use that directory server (Vault version must include Add Paging Interface for LDAP Connection #17640)
3. Run vault login -method=ldap username=user@example.com
4. See error message

Expected behavior

Login to succeed.

Note: Would have expected there to be a configuration option in the ldap backend config to disable paging

Environment:

• Vault Server Version (retrieve with vault status): 1.12.2
• Vault CLI Version (retrieve with vault version):1.12.1
• Server Operating System/Architecture: CentOS Linux 7 / x86_64

Vault server configuration file(s):

vault read auth/ldap/config                                                                                                   [11:13:40]
Key                             Value
---                             -----
anonymous_group_search          false
binddn                          n/a
case_sensitive_names            true
certificate                     n/a
deny_null_bind                  true
discoverdn                      true
groupattr                       cn
groupdn                         ou=memberList,ou=orgUnit,o=organization
groupfilter                     (&(objectClass=nestedGroup)(uniquemember={{.UserDN}})(cn=team-*))
insecure_tls                    false
request_timeout                 90
starttls                        true
tls_max_version                 tls12
tls_min_version                 tls12
token_bound_cidrs               []
token_explicit_max_ttl          0s
token_max_ttl                   0s
token_no_default_policy         false
token_num_uses                  0
token_period                    0s
token_policies                  []
token_ttl                       0s
token_type                      default
upndomain                       n/a
url                             ldap://ldap.example.com
use_pre111_group_cn_behavior    true
use_token_groups                false
userattr                        uid
userdn                          ou=orgUsers,o=organization
userfilter                      n/a
username_as_alias               true

Additional context

Our directory server does not permit paging at all, even though it advertises it as a supported control. I'm unable to change the directory server to permit paging as it is centrally managed at our company and my team does not have access to do so. We have run into this issue with other applications, and in most cases, the application provides a mechanism to disable paging. I also found in #8310 (comment) that it was suggested to implement a setting to set the page size (or 0 to disable paging), but this was not implemented when the feature was added.

[austingebauer]

@nordicmachine - Thanks for reporting this. We will consider an option to enable/disable paging. (cc @ltcarbonell @jasonodonnell as this is related to #17640).

[maxb]

It is fairly common for LDAP servers to have policy on the maximum size of a page, that can be configured by the local administrators. For this reason, as mentioned in "Additional context", it shouldn't be just an on/off setting.

[ltcarbonell]

@nordicmachine thank you for pointing this out! I put together a PR that should be able to handle this here. I am having trouble setting up an LDAP server that doesn't support paging on my end to test it out. Would you be able to test it out against your LDAP set up to make sure this actually solves your issue? Or perhaps provide some insight on how we can set this up to test on our side.

[nordicmachine]

@ltcarbonell I build your PR, set max_page_size: 0 in the LDAP configuration, and tested locally but it's still failing in the same way.

If you're testing on OpenLDAP slapd, you should be able to adjust the limits to disable paging. Have a look at OpenLDAP 2.6 Limits - in section 9.3.1.2 it says you can set size.prtotal=disabled to disable paged results. I haven't tried this myself but hopefully it'll give you a bit more to go on.

[ltcarbonell]

@nordicmachine just wanted to update you that I haven't forgot about this issue. I've been running into some issues disabling paging on my end. I will let you know when I make some progress on this.

[nordicmachine]

Thanks for the update @ltcarbonell - let me know if there's anything else I can help with.

[ltcarbonell]

Hey @nordicmachine, I wanted to let you know that I've made some changes to #19032. Would you be willing to try it out for us? You can use -1 as a configuration with max_page_size to bypass the new logic, and hopefully, it will fix the issue that was introduced. Thanks!

[nordicmachine]

@ltcarbonell I'll give this a try and let you know. Thanks!

[nordicmachine]

@ltcarbonell I just built your updated PR and tested. Using max_page_size = -1 works. I'm able to configure and use LDAP against our directory with this setting. Thanks for you work on this!