Vault LDAP auth failed

[Pooja]

Hi,

I'm trying to integrate LDAP with Vault. Yet, I've provided required configuration but it seems to be failing to bind to user dn.

Below is the ldap configured group and user associated with the same.

1. To search a group

ldapsearch -x -H ldap://HOST -LL -b "cn=testgroup,ou=Group,dc=example,dc=com"

version: 1

dn: cn=testgroup,ou=Group,dc=example,dc=com

objectClass: posixGroup

objectClass: top

cn: techmgr

gidNumber: 1602

memberUid: testuser

2. To search a user

ldapsearch -x -H ldap://HOST -LL -b "uid=testuser,ou=People,dc=example,dc=com"

version: 1

dn: uid=testuser,ou=People,dc=example,dc=com

uid: testuser

cn: testuser

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

shadowMin: 0

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 1619

shadowMax: 180

gidNumber: 1003

shadowExpire: 19999

homeDirectory: /home/testuser

userPassword:: XXX

shadowLastChange: 18333

Below is the configuration set for the ldap:

vault write auth/ldap/config \

  url="ldap://HOST" \

  binddn="dc=example,dc=com" \

  bindpass="P@ssword1" \

  groupdn="ou=Group,dc=example,dc=com" \

  groupattr="cn" \

  userdn="ou=People,dc=example,dc=com" \

  userattr="uid"

I'm constantly seeing the below error with the above configuration

Error: Authentication failed: ldap operation failed: unable to retrieve user bind DN

Can someone help what may have gone wrong with the config?

Thanks,

Pooja

[avo...@gmail.com]

you have wrong binddn parameter set, it should have DN of particular user which has permissions to read everything under groupdn and userdn

[Pooja]

I've observed below group and user level DNs.

dn: cn=testgroup,ou=Group,dc=example,dc=com

dn: uid=testuser,ou=People,dc=example,dc=com

Yet, I've tried applying above details in binddn attribute. It makes no difference. The same error is constantly getting thrown.

Can you help me to understand what should be the exact configuration for ldap considering the uid is testuser and group is testgroup?

[Mark Young]

Pooja,

 

There are pieces you appear to be missing or confusing.  This took me a bit to figure out too. As mentioned by another person, your binddn does not look correct.  It should be a complete dn to a user…eg uid=binduser,ou=people,dc=example,dc=com

 

Below is the approach I used when setting up vault ldap auth.

 

As a reference: https://www.vaultproject.io/docs/auth/ldap

 

1. Are you using a bind use and password with your ldapsearch?  Your ldapsearch example has no parms for a bind listed on the command line.  Check your ldap.conf to see what is being used for binding if anything . Eg is there a default bind user and password being supplied if not specified on the command line for the ldapsearch.  If you find there is, check that the bind works with ldapsearch as expected when the parms are provided on the command line as a sanity check.
2. Update the vault policy – either remove binddn and bindpass if using anonymous bind or update binddn if using simple bind. with the correct bind dn.
3. Check your ldap slapd log for errors related to the vault communication.  I find that they can help a lot in troubleshooting.
4. Depending on your LDAP environment config you may need to specify insecure_tls=true
5. Once you are seeing a successful bind in ldap and vault you will need to make sure the authenticated vault user matches a policy to be able to authenticate with this method (see the reference URL above)

 

Hope these tips help.

--
On September 15 at 5pm EDT, inbound messages to this group will be disabled, and it will be used for outbound announcements only. To prepare for this switch, please direct questions and conversations to our primary medium to communicate with practitioners: https://discuss.hashicorp.com/c/vault/30. We look forward to collaborating with you there!
 
GitHub Issues: https://github.com/hashicorp/vault/issues
 
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8d2226a4-5687-4692-b56c-23d2e2944560n%40googlegroups.com.

 

[avo...@gmail.com]

if you've had ldapsearch executed on the same host where a openldap server was installed it is implicitly executed in the context of root privileges, to make it work in vault you have to create another service user

[Pooja]

Thanks Avo, Mark. Appreciate your help.

Below configuration and steps have helped me to login through the ldap successfully.

vault auth enable ldap

vault write auth/ldap/config \

url="ldap://HOST" \

        userdn="ou=People,dc=example,dc=com" \

userattr="uid" \

groupdn="ou=Group,dc=example,dc=com" \

groupattr="cn"

vault write auth/ldap/groups/securities policies=security

vault write auth/ldap/users/testuser groups=securities policies=security

curl \

--request POST \

--data '{"password": "<password>"}' \

http://127.0.0.1:8200/v1/auth/ldap/login/testuser 

[Alexandra Freeman]

Hello and thank you for your email!

On June 3, 2019 HashiCorp launched Discuss, a forum to facilitate dialogue within the HashiCorp community. This format allows answers to be more readily searched and indexed, making it easier to find answers to existing questions and to share knowledge with each other.

The HashiCorp team will be shifting to interact with practitioners on the forum, and we will be phasing out the Google Groups; on September 15, inbound messages to this group will be disabled, and it will be used for outbound announcements only.

To prepare for this switch, please direct questions and conversations to the Vault discussion forum. We look forward to collaborating with you there!