Active Directory LDAP

[RA Vance]

I have stood up an Active Directory lab with LDAP services in a non-production environment for experimentation purposes. On a separate box, I'm running Vault. 

On the Vault Server:
Terminal 1: ravance@vault:~$ consul agent -dev
Terminal 2: ravance@vault:~$ vault server -dev -dev-listen-address="0.0.0.0:8200"

I can successfully execute LDAPSearch to verify access to the AD LDAP services:
ravance@vault:~$ ldapsearch -H ldap://10.37.129.5 -x -D "bind...@tst.com" -b "dc=tst,dc=com" -w 'P@ssw0rd' -xLLL '(sAMAccountName=tstusr)'

Output returned:
dn: CN=SA tstuser,CN=Users,DC=tst,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: SA tstuser
sn: tstusr
givenName: SA
distinguishedName: CN=SA tstuser,CN=Users,DC=tst,DC=com
instanceType: 4
whenCreated: 20190811031618.0Z
whenChanged: 20190825033723.0Z
displayName: SA tstuser
uSNCreated: 49256
memberOf: CN=Domain Admins,CN=Users,DC=tst,DC=com
memberOf: CN=WinRMRemoteWMIUsers__,CN=Users,DC=tst,DC=com
uSNChanged: 98382
name: SA tstuser
objectGUID:: xHftv076ik+j5dSszzpHfw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132115627081336197
lastLogoff: 0
lastLogon: 132115635506970200
pwdLastSet: 132099669782205434
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAATV7oyTaaxG++JcdCVAQAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 125
sAMAccountName: tstusr
sAMAccountType: 805306368
userPrincipalName: tst...@tst.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tst,DC=com
dSCorePropagationData: 20190822141104.0Z
dSCorePropagationData: 20190817030302.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132111778434668037

# refldap://ForestDnsZones.tst.com/DC=ForestDnsZones,DC=tst,DC=com
# refldap://DomainDnsZones.tst.com/DC=DomainDnsZones,DC=tst,DC=com
# refldap://tst.com/CN=Configuration,DC=tst,DC=com

I've enabled LDAP: vault auth enable ldap

And set the config to:
vault write auth/ldap/config \
url="ldap://10.37.129.5:389" \
userattr="sAMAccountName" \
userdn="DC=tst,DC=com" \
groupdn="DC=tst,DC=com" \
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
groupattr="cn" \
upndomain="tst.com" \
binddn="bind...@tst.com" \
bindpass="P@ssw0rd"
insecure_tls=true

And get "Success! Data written to: auth/ldap/config" response.

On a separate box, I can remote access the Vault Server UI using the root token. Yay!

But when I try to login at the UI or CLI: ravance@vault:~$ vault login -method=ldap username=tstusr
Password (will be hidden): 
Error authenticating: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/ldap/login/tstusr
Code: 400. Errors:
* ldap operation failed

One more observation. When I go through the UI, in the LDAP config, the Bind Password remains blank despite several attempts to apply and save it through either the UI or CLI.