Vault LDAP error authenticating

[pocvault]

Hi,
I tried to post this issue to vault google group. But I do not have permission to create a new topic. Not sure I can raise it here.

We are trying to setup the LDAP auth and gone through the vault LDAP documentations and links. Below are the ldap configs.

vault write auth/ldap/config url="ldap://corp.company.com:389" userdn="ou=people,o=company” discoverdn=true userattr=companydsid
groupdn="ou=groupmembers,ou=groups,o=company” groupfilter=“(&(objectClass=companygroupmember)(comopanyGroupName::={{.companyUniqueMember}}))”
groupattr="cn" insecure_tls=false

Then we also tried to search for specific employee which is under test group. This successfully returns the login details.

ldapsearch -xLLL -h lookup.comp.com -b "ou=groupmembers,ou=groups,o=company” "(&(objectClass=companygroupmember)(companyGroupName=test)(companyUniqueMember=111111))”

Then mapped it to the group and user policy.

vault write auth/ldap/groups/test policies=root
vault write auth/ldap/users/username groups=test policies=root

But when I tried to login from vault, I get the following error. Not sure where is the mistake. Can you please guide us here?

$ vault login -method=ldap username=username
Password (will be hidden):
Error authenticating: Error making API request.

URL: PUT http://127.0.0.1:8500/v1/auth/ldap/login/username
Code: 400. Errors:

• LDAP search for binddn failed: LDAP Result Code 32 "No Such Object":

[jefferai]

Your hosts appear to be different as do your bind details. One thing that will certainly cause problems is you have a typo: "comopanyGroupName"

[pocvault]

Thanks Jeff. sorry for the typo. While editing the original entry, I made a mistake. But otherwise its companyGroupName.

Are you saying the different hostname between ldapsearch -h lookup.comp.com & url="ldap://corp.company.com:389" ?

[v6]

// , Looks like he's saying that, yes. Were you ever able to get it resolved?

[PerilousApricot]

Hello,

I see what I believe is the same issue locally. Doing an returns the groups for the specific user, but I get Authentication failed: LDAP search failed: LDAP Result Code 32 "No Such Object": if I have LDAP groups configured. Looking at my ldap server, I see (sanitized)

slapd[17127]: conn=991670 fd=45 ACCEPT from IP=10.0.0.20:47488 (IP=0.0.0.0:636)
slapd[17127]: conn=991670 fd=45 TLS established tls_ssf=256 ssf=256
slapd[17127]: conn=991670 op=0 BIND dn="uid=myuser,ou=People,dc=domain,dc=com" method=128
slapd[17127]: conn=991670 op=0 BIND dn="uid=myuser,ou=People,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[17127]: conn=991670 op=0 RESULT tag=97 err=0 text=
slapd[17127]: conn=991670 op=1 SRCH base="ou=Groups,dc=domain,dc=com" scope=2 deref=0 filter="(|(memberUid=myuser)(member=uid=myuser,ou=people,dc=domain,dc=com)(uniqueMember=uid=myuser,ou=people,dc=domain,dc=com))"
slapd[17127]: conn=991670 op=1 SRCH attr=cn
slapd[17127]: conn=991670 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
slapd[17127]: conn=991670 fd=45 closed (connection lost)

FWIW, this is with openldap-2.4.44-5.el7 on centos 7, x86_64. I'm not sure if this is the same underlying cause as #6111

[PerilousApricot]

I should add, removing the groups DN (which causes Vault to not look up groups) works correctly, modulo the group functionality.

[igoratencompass]

Same issue here with Vault v1.1.3. If I run ldapsearch with the same group filter as the default Vault one I certainly get the groups from LDAP and the query returns no errors. Why Vault believes different I have no idea.
I also tried with different group filters that have been confirmed working under various other applications querying the same LDAP server with same outcome.

[igoratencompass]

Based on what I can see in the OpenLDAP server logs the issue, at least in my case, is that the group membership query is performed with bind as the user trying to login instead of the binddn user from the config. The error is legit and the search really returns object not found (err=32):

Jul 18 16:50:41 server slapd[3272]: conn=3410195 op=2 SRCH attr=cn
Jul 18 16:50:41 server slapd[3272]: conn=3410195 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=

[igoratencompass]

FWIW this worked for me after explicitly setting up discoverdn=false in the config.

[aphorise]

@pocvault have you re-attempted this more recently and in the context of the notes provided above? - is this issue still relevant?

[vishalnayak]

Issues that are not reproducible and/or not had any interaction for a long time are stale issues. Sometimes even the valid issues remain stale lacking traction either by the maintainers or the community. In order to provide faster responses and better engagement with the community, we strive to keep the issue tracker clean and the issue count low. In this regard, our current policy is to close stale issues after 30 days. Closed issues will still be indexed and available for future viewers. If users feel that the issue is still relevant but is wrongly closed, we encourage reopening them.

Please refer to our contributing guidelines for details on issue lifecycle.