New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP search failed: LDAP Result Code 50 "Insufficient Access Rights" #18875
Comments
@nordicmachine - Thanks for reporting this. We will consider an option to enable/disable paging. (cc @ltcarbonell @jasonodonnell as this is related to #17640). |
It is fairly common for LDAP servers to have policy on the maximum size of a page, that can be configured by the local administrators. For this reason, as mentioned in "Additional context", it shouldn't be just an on/off setting. |
@nordicmachine thank you for pointing this out! I put together a PR that should be able to handle this here. I am having trouble setting up an LDAP server that doesn't support paging on my end to test it out. Would you be able to test it out against your LDAP set up to make sure this actually solves your issue? Or perhaps provide some insight on how we can set this up to test on our side. |
@ltcarbonell I build your PR, set If you're testing on OpenLDAP |
@nordicmachine just wanted to update you that I haven't forgot about this issue. I've been running into some issues disabling paging on my end. I will let you know when I make some progress on this. |
Thanks for the update @ltcarbonell - let me know if there's anything else I can help with. |
Hey @nordicmachine, I wanted to let you know that I've made some changes to #19032. Would you be willing to try it out for us? You can use |
@ltcarbonell I'll give this a try and let you know. Thanks! |
@ltcarbonell I just built your updated PR and tested. Using |
Describe the bug
Authenticating with the LDAP backend fails since the introduction of paging (see #7702). When attempting to login, the error "Insufficient Access Rights" is returned:
To Reproduce
Steps to reproduce the behavior:
vault login -method=ldap username=user@example.com
Expected behavior
Login to succeed.
Note: Would have expected there to be a configuration option in the ldap backend config to disable paging
Environment:
vault status
): 1.12.2vault version
):1.12.1Vault server configuration file(s):
Additional context
Our directory server does not permit paging at all, even though it advertises it as a supported control. I'm unable to change the directory server to permit paging as it is centrally managed at our company and my team does not have access to do so. We have run into this issue with other applications, and in most cases, the application provides a mechanism to disable paging. I also found in #8310 (comment) that it was suggested to implement a setting to set the page size (or 0 to disable paging), but this was not implemented when the feature was added.
The text was updated successfully, but these errors were encountered: