LDAP Auth Backend - LDAP bind failed: LDAP Result Code 49 "Invalid Credentials":
1,622 views
Skip to first unread message
Chris Murphy
Mar 15, 2016, 11:18:47 AM3/15/16
to Vault
Hi Guys,
I am new to vault 0.5.0 and trying for the past 2 days trying to get vault talking to my ldap auth backend.
vault write auth/ldap/config url="ldap://ldapserver.company.com:389" userattr=mail userdn="ou=ldapserver,o=company.com" insecure_tls=true starttls=true
I am trying to verify a user by them adding their email address and password
vault auth -method=ldap username=Ch...@company.com
password: hello
I get back
Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/ldap/login/Ch...@company.com
Code: 400. Errors:
* LDAP bind failed: LDAP Result Code 49 "Invalid Credentials":
Any help would be great.
I am new to vault 0.5.0 and trying for the past 2 days trying to get vault talking to my ldap auth backend.
vault write auth/ldap/config url="ldap://ldapserver.company.com:389" userattr=mail userdn="ou=ldapserver,o=company.com" insecure_tls=true starttls=true
I am trying to verify a user by them adding their email address and password
vault auth -method=ldap username=Ch...@company.com
password: hello
I get back
Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/ldap/login/Ch...@company.com
Code: 400. Errors:
* LDAP bind failed: LDAP Result Code 49 "Invalid Credentials":
Any help would be great.
Michael Fischer
Mar 15, 2016, 11:26:35 AM3/15/16
to vault...@googlegroups.com
Does your LDAP server permit anonymous binding? If not, you'll need to specify a "binddn" and "bindpass" when configuring the LDAP backend, so that it can authenticate itself to the LDAP server.
Best regards,
--Michael
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/86003a6e-cf75-4800-a542-2ba017edf4a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chris Murphy
Mar 15, 2016, 11:30:54 AM3/15/16
to Vault
Yes my LDAP server permit anonymous binding. I use ldapsearch to test my connecting and adding in -x for anonymous to find my email address in LDAP.
Jeff Mitchell
Mar 15, 2016, 12:16:18 PM3/15/16
to vault...@googlegroups.com
Hi Chris,
One thing you could try is 0.5.1 since it has some fixes to properly
escape values being provided to search filters, although I don't think
it's strictly related to this.
Another is you could try setting "upndomain" in your configuration.
This is meant for when you're using user principles in your domain,
e.g. [username]@[upndomain]. Basically the bind dn that is constructed
follows one of two formats:
1) [username]@[upndomain] (used if the upndomain is set)
2) [userattr]=[username],[userdn]
So depending on whether you are using userPrincipleName this may be of use.
Any chance you can compare against the various bind DN/user DN/other
values in use in other software in your org?
Thanks,
Jeff
On Tue, Mar 15, 2016 at 11:30 AM, Chris Murphy
> https://groups.google.com/d/msgid/vault-tool/14071a1c-cd5a-4e7d-91c9-94e9e214f221%40googlegroups.com.
One thing you could try is 0.5.1 since it has some fixes to properly
escape values being provided to search filters, although I don't think
it's strictly related to this.
Another is you could try setting "upndomain" in your configuration.
This is meant for when you're using user principles in your domain,
e.g. [username]@[upndomain]. Basically the bind dn that is constructed
follows one of two formats:
1) [username]@[upndomain] (used if the upndomain is set)
2) [userattr]=[username],[userdn]
So depending on whether you are using userPrincipleName this may be of use.
Any chance you can compare against the various bind DN/user DN/other
values in use in other software in your org?
Thanks,
Jeff
On Tue, Mar 15, 2016 at 11:30 AM, Chris Murphy
Chris Murphy
Mar 15, 2016, 12:25:09 PM3/15/16
to Vault
Thank you Michael and Jeff
Will try out the settings above and will let you know how I get on..
Clay Bowen
Mar 15, 2016, 12:35:38 PM3/15/16
to Vault
I posted in this forum (a long time ago) a guide Vault showing how to link to LDAP - you may find it useful.
Thanks,
Clay
Chris Murphy
Mar 16, 2016, 7:12:14 AM3/16/16
to Vault
Hi guys no luck with the above changes upndomain is not working. Will not write to the ldap/config
So tried ldapsearch first and this works
ldapsearch -h users.forms.com -p 389 -x -D "uid=123456,c=ie,ou=users,o=forms.com" -b "ch...@ie.forms.com" -W
Enter ldap password : 123456
Found Email
Changes this over to vault write to try and bind a user and password
vault write auth/ldap/config url="ldap://users.forms.com:389" userattr=mail userdn="ou=users,o=forms.com" binddn="uid=123456,c=ie,ou=users,o=forms.com" bindpass="123456" insecure_tls=false starttls=true
vault auth -method=ldap username=ch...@ie.forms.com
password : 123456
Put http://127.0.0.1:8200/v1/auth/ldap/login/ch...@ie.forms.com: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
vault read auth/ldap/config
binddn uid=123456,c=ie,ou=users,o=forms.com
bindpass 123456
certificate
discoverdn false
groupdn
insecure_tls false
starttls true
upndomain
url ldap://users.forms.com:389
userattr mail
userdn ou=users,o=forms.com
I looked at Clay Bowen guide and all I am getting is Code49 "Invalid Credentials"
Jeff Mitchell
Mar 16, 2016, 9:27:08 AM3/16/16
to vault...@googlegroups.com
Hi Chris,
On Wed, Mar 16, 2016 at 7:12 AM, Chris Murphy
<chrismich...@gmail.com> wrote:
> ldapsearch -h users.forms.com -p 389 -x -D
> "uid=123456,c=ie,ou=users,o=forms.com" -b "ch...@ie.forms.com" -W
> Enter ldap password : 123456
> Found Email
>
> Changes this over to vault write to try and bind a user and password
> vault write auth/ldap/config url="ldap://users.forms.com:389" userattr=mail
> userdn="ou=users,o=forms.com" binddn="uid=123456,c=ie,ou=users,o=forms.com"
> bindpass="123456" insecure_tls=false starttls=true
In your ldapsearch command you are not using TLS, but you have
'starttls=true' set in your Vault config. This could certainly cause a
timeout problem, if Vault is waiting expecting to establish a TLS
session.
Any chance you can get ldapsearch to spit out more details about the
found user? In Vault, once there is a successful bind with a set bind
DN/bind password, it does a subtree search under the user DN with a
filter of (in your case) '(mail=ch...@ie.forms.com)'. The value that
is returned is passed verbatim into authentication. It'd be nice to
verify from ldapsearch that your user DN is correct and that this
constructed DN from the search is what is expected.
Thanks,
Jeff
On Wed, Mar 16, 2016 at 7:12 AM, Chris Murphy
<chrismich...@gmail.com> wrote:
> ldapsearch -h users.forms.com -p 389 -x -D
> "uid=123456,c=ie,ou=users,o=forms.com" -b "ch...@ie.forms.com" -W
> Enter ldap password : 123456
> Found Email
>
> Changes this over to vault write to try and bind a user and password
> vault write auth/ldap/config url="ldap://users.forms.com:389" userattr=mail
> userdn="ou=users,o=forms.com" binddn="uid=123456,c=ie,ou=users,o=forms.com"
> bindpass="123456" insecure_tls=false starttls=true
'starttls=true' set in your Vault config. This could certainly cause a
timeout problem, if Vault is waiting expecting to establish a TLS
session.
Any chance you can get ldapsearch to spit out more details about the
found user? In Vault, once there is a successful bind with a set bind
DN/bind password, it does a subtree search under the user DN with a
filter of (in your case) '(mail=ch...@ie.forms.com)'. The value that
is returned is passed verbatim into authentication. It'd be nice to
verify from ldapsearch that your user DN is correct and that this
constructed DN from the search is what is expected.
Thanks,
Jeff
Chris Murphy
Mar 16, 2016, 10:24:21 AM3/16/16
to Vault
Hi
Did a ldapsearch on my email and here is what I got back
#
# LDAPv3
# base <c=ie,ou=users,o=forms.com> with scope subtree
# filter: preferredIdentity=ch...@ie.forms.com
# requesting: ALL
#
# A12345678, ie, users, forms.com
dn: uid=A12345678,c=ie,ou=users,o=forms.com
objectClass: persons
objectClass: formspersons
objectClass: eeePerson
ou: users
o: forms.com
SerialNumber: A12345678
employeeCountryCode: 111
locationCity: DUB
uid: A12345678
c: ie
serialNumber: A12345678
emailAddress: ch...@ie.forms.com
mail: ch...@ie.forms.com
notesShortName: cmurphy
preferredIdentity: ch...@ie.forms.com
primaryUserId: cmurphy
sn: murphy
callupName: murphy, chris
cn: chris murphy
givenName: chris
divDept: dept=V12,div=11,ou=users,o=forms.com
Did a ldapsearch on my email and here is what I got back
#
# LDAPv3
# base <c=ie,ou=users,o=forms.com> with scope subtree
# filter: preferredIdentity=ch...@ie.forms.com
# requesting: ALL
#
# A12345678, ie, users, forms.com
dn: uid=A12345678,c=ie,ou=users,o=forms.com
objectClass: persons
objectClass: formspersons
objectClass: eeePerson
ou: users
o: forms.com
SerialNumber: A12345678
employeeCountryCode: 111
locationCity: DUB
uid: A12345678
c: ie
serialNumber: A12345678
emailAddress: ch...@ie.forms.com
mail: ch...@ie.forms.com
notesShortName: cmurphy
preferredIdentity: ch...@ie.forms.com
primaryUserId: cmurphy
sn: murphy
callupName: murphy, chris
cn: chris murphy
givenName: chris
divDept: dept=V12,div=11,ou=users,o=forms.com
Reply all
Reply to author
Forward
0 new messages