LDAP auth backend: user is not a member of any authorized group

[George Nychis]

Vault Team,

We are trying to use and learn the LDAP auth backend to authenticate a user, following the  guide found here:

https://www.vaultproject.io/docs/auth/ldap.html

We are using the example LDAP server at this URL: ldap://ldap.forumsys.com, which at one point in time was in the documentation as an example also.

We are trying to authenticate a user found in that LDAP server, for example, einstein.  According to ldapsearch einstein belongs to the "scientists" group:

# scientists, example.com

dn: ou=scientists,dc=example,dc=com

uniqueMember: uid=einstein,dc=example,dc=com

uniqueMember: uid=galieleo,dc=example,dc=com

uniqueMember: uid=tesla,dc=example,dc=com

uniqueMember: uid=newton,dc=example,dc=com

ou: scientists

cn: Scientists

objectClass: groupOfUniqueNames

objectClass: top

After running the following commands, einstein is unable to be authenticated:

set VAULT_ADDR=http://127.0.0.1:8200

vault auth-enable ldap

vault write auth/ldap/config url="ldap://ldap.forumsys.com" \

   binddn='cn=read-only-admin,dc=example,dc=com' \

   bindpass='password' \

   userdn='dc=example,dc=com' \

   userattr='uid' \

   groupfilter='(uniqueMember={{.UserDN}})' \

   groupdn='dc=example,dc=com' \

   groupattr='memberOf'

vault write auth/ldap/groups/scientists policies=foo

vault auth -method=ldap username=einstein

The following error message comes up:

URL: PUT http://127.0.0.1:8200/v1/auth/ldap/login/einstein

Code: 400. Errors:

* user is not a member of any authorized group

Is there a step that we are missing?  We thought that giving group scientists some policy would allow us to authenticate einstein.  This is running vault 0.6.1 cleanly with: "./vault.exe server -dev"

Any help would be greatly appreciated.

Thanks!

George

[Jeff Mitchell]

Hi George,

The issue is your specified "groupattr". The forumsys LDAP server
doesn't use "memberOf". You can either remove that config parameter
entirely, or change it to "cn". Either will work!

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/a700ed42-de4c-412d-b3fb-e9d22d88ab75%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[George Nychis]

Thanks for your response, Jeff!

I tried to drop the "groupattr" parameter as well as change it to "cn", but both attempts result in the same "* user is not a member of any authorized group" error.

Best,

George

[Jeff Mitchell]

Hi George,

I forgot, there's also one additional bit. One part of your problem is
the groupattr parameter; the other part is that in the group on the
forumsys website the group name is actually 'Scientists', not
'scientists' -- and case matters!

I'll update the LDAP docs to reflect this. Sorry for the confusion!

Best,
Jeff

> https://groups.google.com/d/msgid/vault-tool/15e750af-619e-4de8-be4a-1ab18c23d8f9%40googlegroups.com.

[Jeff Mitchell]

Hi George,

Alternately, you can specify the groupattr to be 'ou', which will
cause scientists (lower case) to work. I noticed in your output above
that the cn value is 'Scientists' while the ou value is 'scientists'.

Best,
Jeff

[George Nychis]

Ah-ha!  That worked!  Thanks for the help, Jeff!  This functionality will be extremely useful to us.  

Best,

George