It looks like AD secrets engine is always rotating the password irrespective of ttl set

263 views
Skip to first unread message

sivan...@gmail.com

unread,
Mar 25, 2019, 7:55:22 PM3/25/19
to Vault
Hi,

I used the following steps to configure the AD secrets engine as per the documentation 

1. vault secrets enable ad
2. vault write ad/config   binddn=ad_account_01     bindpass=account_password url=ldaps://ad_url     userdn="OU=Accounts,DC=xxxx,DC=yyyyy,DC=zzzzz,DC=com" insecure_tls=true ttl=86400 max_ttl=864000 (Note: max_ttl is 10 times more than ttl)
3. vault write ad/roles/account_02 service_account_name="ad_acc...@xxxx.yyyyy.zzzzz.com" ttl=86300 (Note: 100 seconds less than default ttl)
4. vault read ad/creds/account_02

Note:
1. I used 1.1 version of Vault
2. ad_account_01 has enough permission to rotate the password for ad_account_02
3. Created an AppRole that has required policy/capability to read/write the path ad/creds.
4. Attached this policy to a user testuser in userpass authentication
5. Whenever the testuser issues the command "vault read ad/creds/account_02", I can see the results as:

Key                 Value
---                 -----
current_password    ?@154mMQfatgXppPFzuhL8TFO5USgvGl66uoaic6h9AZnn8nPyfLQzzmSw+
username            ad_account_02

Key                 Value
---                 -----
current_password    ?@09AZhSnppTG6YrVTNnB0xkYdzfz9T/oYESdaW9GcA8e1qwgGYdvfRCy6W
username            svc_vault_test2

with different passwords. I observe that the current_password is getting different values every time. I am able to login to AD with the passwords. This means that vault is rotating the password for this account every time.

As per the documentation, the vault is supposed to rotate upon the expiry of the ttl and until then it needs to provide the old password.
Documentation excerpt: "The default password time-to-live in seconds. Once the ttl has passed, a password will be rotated the next time it's requested."

6. Tried the curl command and here is the output of my curl command: 
curl --header "X-Vault-Token:s.xxxxxxxxxxxxxxxxxx"  --request GET http://127.0.0.1:8200/v1/ad/creds/account_02

{
   "request_id":"d3b6c92c-9191-feb5-9dd7-cd8a54dc1298",
   "lease_id":"",
   "renewable":false,
   "lease_duration":0,
   "data":{
      "current_password":"?@09AZvnU29pnNrHwDX1ndeoEi76oBs9wKRKOPuZrSPMJpWkyt11Qt108fc",
      "username":"svc_vault_test2"
   },
   "wrap_info":null,
   "warnings":null,
   "auth":null
}

When I run the curl command with few seconds delay, I am getting

{
   "request_id":"4e442bea-bf5d-ae08-d83b-827ed511d9ea",
   "lease_id":"",
   "renewable":false,
   "lease_duration":0,
   "data":{
      "current_password":"?@09AZDKa/eLFBDSYtGyvLJp9F51CvaQ2M9T4M7qT4SSmP045L/zcQTOeYc",
      "username":"svc_vault_test2"
   },
   "wrap_info":null,
   "warnings":null,
   "auth":null
}

The passwords are different.

As per the documentation, I expect

{
  "current_password": "?@09AZnh4Q5N4O5zdLk/4F8aIMgsnpDM6te3Mz1wXcZEgZhOa6OR748F96",
  "last_password": "?@09AZSen9TzUwK7ZhafS7B0GuWGraQjfWEna5/tVaKFqjXhhGV/Z0v/pBJ",
  "username": "my-application"
}

There is a difference in output.
I tried with different version of Vault (1.0, 1.1)
I tried with root-token also.

Am I missing anything here? 
Any help will be highly appreciated.

Thanks,
Siva

Becca Petrin

unread,
Mar 26, 2019, 12:00:55 PM3/26/19
to Vault
Hi,

Thanks for opening this issue on Github here: https://github.com/hashicorp/vault/issues/6476

I'm going to take a look at it and respond on the issue.

-Becca

On Monday, March 25, 2019 at 4:55:22 PM UTC-7, sivan...@gmail.com wrote:
Hi,

I used the following steps to configure the AD secrets engine as per the documentation 

1. vault secrets enable ad
2. vault write ad/config   binddn=ad_account_01     bindpass=account_password url=ldaps://ad_url     userdn="OU=Accounts,DC=xxxx,DC=yyyyy,DC=zzzzz,DC=com" insecure_tls=true ttl=86400 max_ttl=864000 (Note: max_ttl is 10 times more than ttl)
3. vault write ad/roles/account_02 service_account_name="ad_accou...@xxxx.yyyyy.zzzzz.com" ttl=86300 (Note: 100 seconds less than default ttl)

Sivakumar Nagarajan

unread,
Mar 26, 2019, 12:07:11 PM3/26/19
to vault...@googlegroups.com
Hi Becca,

Thank you very much and appreciate it.

Thanks,
Siva

On Tue, 26 Mar 2019 at 09:00, Becca Petrin <be...@hashicorp.com> wrote:
Hi,

Thanks for opening this issue on Github here: https://github.com/hashicorp/vault/issues/6476

I'm going to take a look at it and respond on the issue.

-Becca

On Monday, March 25, 2019 at 4:55:22 PM UTC-7, sivan...@gmail.com wrote:
Hi,

I used the following steps to configure the AD secrets engine as per the documentation 

1. vault secrets enable ad
2. vault write ad/config   binddn=ad_account_01     bindpass=account_password url=ldaps://ad_url     userdn="OU=Accounts,DC=xxxx,DC=yyyyy,DC=zzzzz,DC=com" insecure_tls=true ttl=86400 max_ttl=864000 (Note: max_ttl is 10 times more than ttl)
3. vault write ad/roles/account_02 service_account_name="ad_acc...@xxxx.yyyyy.zzzzz.com" ttl=86300 (Note: 100 seconds less than default ttl)

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/95b35b5f-8a41-4e95-86d7-97f796db3c10%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages