New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth/ldap: fix login errors #26200
auth/ldap: fix login errors #26200
Conversation
This fixes 2 ldap auth login errors * Missing entity alias attribute value * Vault relies on case insensitive user attribute keys for mapping user attributes to entity alias metadata. This sets the appropriate configs in the cap library. * ldap group search anonymous bind regression * Anonymous group searches can be rejected by some LDAP servers if they contain a userDN. This sets the configs in the cap library to specify unauthenticated binds for anonymous group searches should exclude a DN. Closes #26171 Closes #26183
CI Results:
|
Build Results: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once we figure out go.mod issues.
* auth/ldap: fix login errors This fixes 2 ldap auth login errors * Missing entity alias attribute value * Vault relies on case insensitive user attribute keys for mapping user attributes to entity alias metadata. This sets the appropriate configs in the cap library. * ldap group search anonymous bind regression * Anonymous group searches can be rejected by some LDAP servers if they contain a userDN. This sets the configs in the cap library to specify unauthenticated binds for anonymous group searches should exclude a DN. Closes #26171 Closes #26183 * changelog * go mod tidy * go get cap/ldap@latest and go mod tidy
* auth/ldap: fix login errors This fixes 2 ldap auth login errors * Missing entity alias attribute value * Vault relies on case insensitive user attribute keys for mapping user attributes to entity alias metadata. This sets the appropriate configs in the cap library. * ldap group search anonymous bind regression * Anonymous group searches can be rejected by some LDAP servers if they contain a userDN. This sets the configs in the cap library to specify unauthenticated binds for anonymous group searches should exclude a DN. Closes #26171 Closes #26183 * changelog * go mod tidy * go get cap/ldap@latest and go mod tidy
Hi, when will the fix be available via the repo? |
@usernamemikem Hello, the fix is available in the 1.16.1 release https://github.com/hashicorp/vault/releases/tag/v1.16.1 |
Thank you so much for letting me know! |
@hennadii2012 What does your LDAP auth config look like? |
P.S. |
The latest version fix it for me. But some of my attributes are a bit different than yours. User Attribute = samaccountname I hope that helps. |
My LDAP provider does not work with those params. I am using the list, that had been taken from the official documentation.
|
@hennadii2012 In 1.16, Vault switched to a different LDAP package, and is likely why you're seeing a regression in behavior here. One thing that jumps out from your config is the |
Continuing the discussion over here: #26568 |
This fixes 2 ldap auth login errors
Missing entity alias attribute value
ldap group search anonymous bind regression
Closes #26171
Closes #26183