auth/ldap: fix login errors

[fairclothjm]

This fixes 2 ldap auth login errors

• Missing entity alias attribute value

  • Vault relies on case insensitive user attribute keys for mapping user attributes to entity alias metadata. This sets the appropriate configs in the cap library.

• ldap group search anonymous bind regression

  • Anonymous group searches can be rejected by some LDAP servers if they contain a userDN. This sets the configs in the cap library to specify unauthenticated binds for anonymous group searches should exclude a DN.

Closes #26171
Closes #26183

[github-actions]

CI Results:
All required Go tests succeeded but failures were detected ⚠️
Failures:

Test Type	Package	Test	Logs
race	command/agent	TestAutoAuthSelfHealing_TokenFileAuth_SinkOutput	view test results

[github-actions]

Build Results:
All builds succeeded! ✅

[jasonodonnell]

LGTM once we figure out go.mod issues.

[usernamemikem]

Hi, when will the fix be available via the repo?

[fairclothjm]

@usernamemikem Hello, the fix is available in the 1.16.1 release https://github.com/hashicorp/vault/releases/tag/v1.16.1

[usernamemikem]

Thank you so much for letting me know!

[hennadii2012]

Hello!
I still have an issue with Missing entity alias attribute value on version 1.16.1. What should I do to make it work?

[jasonodonnell]

@hennadii2012 What does your LDAP auth config look like?

[hennadii2012]

Key                          Value                                                      
anonymous_group_search       false                                                      
binddn                                                                                  
case_sensitive_names         false                                                      
certificate                                                                             
connection_timeout           0                                                          
deny_null_bind               true                                                       
dereference_aliases                                                                     
discoverdn                   false                                                      
groupattr                    memberOf                                                   
groupdn                      ou=Groups,dc=example,dc=com                                   
groupfilter                  (&(uniqueMember=uid={{.Username}},ou=Users,dc=example,dc=com))
insecure_tls                 false                                                      
max_page_size                0                                                          
request_timeout              90                                                         
starttls                     false                                                      
tls_max_version              tls12                                                      
tls_min_version              tls12                                                      
token_bound_cidrs            []                                                         
token_explicit_max_ttl       0                                                          
token_max_ttl                0                                                          
token_no_default_policy      false                                                      
token_num_uses               0                                                          
token_period                 0                                                          
token_policies               []                                                         
token_ttl                    0                                                          
token_type                   default                                                    
upndomain                    example.com                                                   
url                          ldaps://ldap.example.com                                  
use_pre111_group_cn_behavior false                                                      
use_token_groups             false                                                      
userattr                     mail                                                       
userdn                       ou=Users,dc=example,dc=com                                    
userfilter                   ({{.UserAttr}}={{.Username}})                              
username_as_alias            false   

P.S.
It works for version 1.15.6 without any issues

[usernamemikem]

The latest version fix it for me. But some of my attributes are a bit different than yours.

User Attribute = samaccountname
Group Filter = (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
Group Attribute = cn
no Group DN

I hope that helps.

[hennadii2012]

My LDAP provider does not work with those params. I am using the list, that had been taken from the official documentation.
Also I do not think, that the reason is in LDAP config as it is, because:

1. For 1.15.6 it works
2. For 1.16.1 it works if username_as_alias option is true (the same as for 1.16.0)

[jasonodonnell]

@hennadii2012 In 1.16, Vault switched to a different LDAP package, and is likely why you're seeing a regression in behavior here. One thing that jumps out from your config is the userattr=mail. I plan on digging into this next week but I suspect that user attribute isn't being returned after cap/ldap queries LDAP.

[jasonodonnell]

Continuing the discussion over here: #26568