-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault LDAP error authenticating #4359
Comments
Your hosts appear to be different as do your bind details. One thing that will certainly cause problems is you have a typo: "comopanyGroupName" |
Thanks Jeff. sorry for the typo. While editing the original entry, I made a mistake. But otherwise its companyGroupName. Are you saying the different hostname between ldapsearch -h lookup.comp.com & url="ldap://corp.company.com:389" ? |
// , Looks like he's saying that, yes. Were you ever able to get it resolved? |
Hello, I see what I believe is the same issue locally. Doing an returns the groups for the specific user, but I get
FWIW, this is with |
I should add, removing the groups DN (which causes Vault to not look up groups) works correctly, modulo the group functionality. |
Same issue here with Vault v1.1.3. If I run |
Based on what I can see in the OpenLDAP server logs the issue, at least in my case, is that the group membership query is performed with bind as the user trying to login instead of the
|
FWIW this worked for me after explicitly setting up |
@pocvault have you re-attempted this more recently and in the context of the notes provided above? - is this issue still relevant? |
Issues that are not reproducible and/or not had any interaction for a long time are stale issues. Sometimes even the valid issues remain stale lacking traction either by the maintainers or the community. In order to provide faster responses and better engagement with the community, we strive to keep the issue tracker clean and the issue count low. In this regard, our current policy is to close stale issues after 30 days. Closed issues will still be indexed and available for future viewers. If users feel that the issue is still relevant but is wrongly closed, we encourage reopening them. Please refer to our contributing guidelines for details on issue lifecycle. |
Hi,
I tried to post this issue to vault google group. But I do not have permission to create a new topic. Not sure I can raise it here.
We are trying to setup the LDAP auth and gone through the vault LDAP documentations and links. Below are the ldap configs.
vault write auth/ldap/config url="ldap://corp.company.com:389" userdn="ou=people,o=company” discoverdn=true userattr=companydsid
groupdn="ou=groupmembers,ou=groups,o=company” groupfilter=“(&(objectClass=companygroupmember)(comopanyGroupName::={{.companyUniqueMember}}))”
groupattr="cn" insecure_tls=false
Then we also tried to search for specific employee which is under test group. This successfully returns the login details.
ldapsearch -xLLL -h lookup.comp.com -b "ou=groupmembers,ou=groups,o=company” "(&(objectClass=companygroupmember)(companyGroupName=test)(companyUniqueMember=111111))”
Then mapped it to the group and user policy.
vault write auth/ldap/groups/test policies=root
vault write auth/ldap/users/username groups=test policies=root
But when I tried to login from vault, I get the following error. Not sure where is the mistake. Can you please guide us here?
$ vault login -method=ldap username=username
Password (will be hidden):
Error authenticating: Error making API request.
URL: PUT http://127.0.0.1:8500/v1/auth/ldap/login/username
Code: 400. Errors:
The text was updated successfully, but these errors were encountered: