Unable to map Active Directory service account to Hashicorp vault AD secrets engine

741 views
Skip to first unread message

Ahladh

unread,
Jan 29, 2019, 2:55:15 AM1/29/19
to Vault

When I enable, add AD configuration and I try to map a service account in Active Directory I get error saying "Network ERROR".

$ vault write ad/config binddn=$USERNAME bindpass=$PASSWORD url=ldaps://ahladh.tk userdn='dc=ahladh,dc=tk'
Success! Data written to: ad/config

$ vault write ad/roles/poc.test service_account_name="poc....@ahladh.tk"

**Error writing data to ad/roles/poc.test: Error making API request.

URL: PUT http://52.4.126.19:8200/v1/ad/roles/poc.test
Code: 500. Errors:

  • 1 error occurred:
    * error connecting to host "ldaps://ahladh.tk": LDAP Result Code 200 "Network Error": read tcp 10.0.1.15:52986->35.18.1.2:636: read: connection reset by peer**

I have an SSL certificate installed already in the Active Directory

Is it needed to have a ssl certificate installed on vault.If so can any one help me with the configuration.


Could Someone crack this . Thanks in advance.

Becca Petrin

unread,
Jan 29, 2019, 7:58:52 PM1/29/19
to Vault
Hi Ahldah,

Hm, interesting, that's a new one. To me, when I see "connection reset by peer" it often means that the server at the url I'm trying to reach either isn't reachable from my local machine, or is reachable but is overwhelmed by traffic. Can you reach that server and verify it's serving LDAP without going through the Active Directory secrets backend?

Thanks,
Becca

Ahladh

unread,
Jan 30, 2019, 3:55:39 AM1/30/19
to Vault
Thank you Becca for the response!!!

I am able to ping the Active Directory Machine from where vault server is hosted.I even verified the port 636 is reachable.

Carlos Vitor Barros

unread,
Jan 30, 2019, 5:29:53 AM1/30/19
to vault...@googlegroups.com
Is it using TLS by any chance?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/be229947-0c6f-46b8-ad20-046f4435788f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ahladh

unread,
Jan 30, 2019, 5:33:21 AM1/30/19
to Vault
No i dint configure yet.

Brian Kassouf

unread,
Jan 30, 2019, 11:57:18 AM1/30/19
to vault...@googlegroups.com
Hi,

Could you try setting the CA certificate when configuring the backend via "ad/config"? https://www.vaultproject.io/api/secret/ad/index.html#connection-parameters

Best,
Brian

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/51e36d97-fc3f-4d87-af12-194cc8d6ed77%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages