LDAP debug and odd error
414 views
Skip to first unread message
David Busby
Jul 5, 2016, 7:15:37 AM7/5/16
to Vault
Hello All,
So in my continued effort to producing a Vault PoC deployment I'm tackling LDAP integration
However I have run into an oddity and would appreciate if someone could let me know if there is any settings changes I can make to enable debug logs ?
Created groups:
vault write auth/ldap/groups/administrator policies=administrator
Success! Data written to: auth/ldap/groups/administrator
Assigned user to the group:
vault write auth/ldap/users/david...@domain.tld groups=administrator
Success! Data written to: auth/ldap/users/david...@domain.tld
And attempted authentication:
VAULT_ADDR=https://domain.tld:8200 vault auth -method=ldap username=david...@domain.tld
Password (will be hidden):
Error making API request.
URL: PUT https://domain.tld:8200/v1/auth/ldap/login/david...@domain.tld
Code: 400. Errors:
* invalid character '<' looking for beginning of value
Audit logs:
{"time":"2016-07-05T11:04:53Z","type":"response","error":"","auth":{"display_name":"","policies":null,"metadata":null},"request":{"operation":"update","client_token":"","path":"auth/ldap/login/david...@domain.tld","data":{"password":"hmac-sha256:8522******"},"remote_address":"86.168.***.***"},"response":{"secret":null,"data":{"error":"hmac-sha256:7bba******"},"redirect":""}}
I'd appreciate any help you can give here and/or any direction on how to enable some sort of debug logging to further diagnose the issue.
Cheers
David
David Busby
Jul 5, 2016, 7:18:21 AM7/5/16
to Vault
Vault version is 0.5.3; perhaps an upgrade is needed ?
On Tuesday, July 5, 2016 at 12:15:37 PM UTC+1, David Busby wrote:
Hello All,So in my continued effort to producing a Vault PoC deployment I'm tackling LDAP integrationHowever I have run into an oddity and would appreciate if someone could let me know if there is any settings changes I can make to enable debug logs ?Created groups:vault write auth/ldap/groups/administrator policies=administrator
Success! Data written to: auth/ldap/groups/administrator
Assigned user to the group:
vault write auth/ldap/users/david.busby@domain.tld groups=administrator
Success! Data written to: auth/ldap/users/david.busby@domain.tld
And attempted authentication:VAULT_ADDR=https://domain.tld:8200 vault auth -method=ldap username=david.busby@domain.tld
Password (will be hidden):
Error making API request.
Code: 400. Errors:
* invalid character '<' looking for beginning of value
Audit logs:{"time":"2016-07-05T11:04:53Z","type":"response","error":"","auth":{"display_name":"","policies":null,"metadata":null},"request":{"operation":"update","client_token":"","path":"auth/ldap/login/david.bu...@domain.tld","data":{"password":"hmac-sha256:8522******"},"remote_address":"86.168.***.***"},"response":{"secret":null,"data":{"error":"hmac-sha256:7bba******"},"redirect":""}}
David Busby
Jul 5, 2016, 8:22:07 AM7/5/16
to Vault
Performed a rolling upgrade to vault 0.6.0 and received a new error message ...
PUT .../v1/auth/ldap/login/david...@domain.tld
Code: 400. Errors:
* LDAP fetch of distinguishedName=cn=david...@domain.tld,cn=email,ou=users,dc=****,dc=****,dc=com failed: LDAP Result Code 80 "Other": Other
Jeff Mitchell
Jul 5, 2016, 10:21:04 AM7/5/16
to vault...@googlegroups.com
Hi David,
It's hard to say what might be going on without any sort of idea of
your configuration. The last error message suggests that logs from
your LDAP server might be useful as well...80 is defined as "This
indicates that some problem was encountered during processing that is
not covered by any of the other defined result codes (e.g., a server
error)."
Feel free to share your configuration and I can look and see if
anything jumps out about it.
Best,
Jeff
On Tue, Jul 5, 2016 at 8:22 AM, David Busby <david...@percona.com> wrote:
> Performed a rolling upgrade to vault 0.6.0 and received a new error message
> ...
>
>> PUT .../v1/auth/ldap/login/david...@domain.tld
>>
>> Code: 400. Errors:
>> * LDAP fetch of
>> distinguishedName=cn=david...@domain.tld,cn=email,ou=users,dc=****,dc=****,dc=com
>> failed: LDAP Result Code 80 "Other": Other
>
>
>
>
> On Tuesday, July 5, 2016 at 12:18:21 PM UTC+1, David Busby wrote:
>>
>> Vault version is 0.5.3; perhaps an upgrade is needed ?
>>
>> On Tuesday, July 5, 2016 at 12:15:37 PM UTC+1, David Busby wrote:
>>>
>>> Hello All,
>>>
>>> So in my continued effort to producing a Vault PoC deployment I'm
>>> tackling LDAP integration
>>>
>>> However I have run into an oddity and would appreciate if someone could
>>> let me know if there is any settings changes I can make to enable debug logs
>>> ?
>>>
>>> Created groups:
>>>
>>>> vault write auth/ldap/groups/administrator policies=administrator
>>>>
>>>> Success! Data written to: auth/ldap/groups/administrator
>>>
>>>
>>> Assigned user to the group:
>>>
>>>> vault write auth/ldap/users/david...@domain.tld groups=administrator
>>>>
>>>> Success! Data written to: auth/ldap/users/david...@domain.tld
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/5301c7bd-336f-4ef2-a9f9-7112f970de1c%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
It's hard to say what might be going on without any sort of idea of
your configuration. The last error message suggests that logs from
your LDAP server might be useful as well...80 is defined as "This
indicates that some problem was encountered during processing that is
not covered by any of the other defined result codes (e.g., a server
error)."
Feel free to share your configuration and I can look and see if
anything jumps out about it.
Best,
Jeff
On Tue, Jul 5, 2016 at 8:22 AM, David Busby <david...@percona.com> wrote:
> Performed a rolling upgrade to vault 0.6.0 and received a new error message
> ...
>
>> PUT .../v1/auth/ldap/login/david...@domain.tld
>>
>> Code: 400. Errors:
>> * LDAP fetch of
>> distinguishedName=cn=david...@domain.tld,cn=email,ou=users,dc=****,dc=****,dc=com
>> failed: LDAP Result Code 80 "Other": Other
>
>
>
>
> On Tuesday, July 5, 2016 at 12:18:21 PM UTC+1, David Busby wrote:
>>
>> Vault version is 0.5.3; perhaps an upgrade is needed ?
>>
>> On Tuesday, July 5, 2016 at 12:15:37 PM UTC+1, David Busby wrote:
>>>
>>> Hello All,
>>>
>>> So in my continued effort to producing a Vault PoC deployment I'm
>>> tackling LDAP integration
>>>
>>> However I have run into an oddity and would appreciate if someone could
>>> let me know if there is any settings changes I can make to enable debug logs
>>> ?
>>>
>>> Created groups:
>>>
>>>> vault write auth/ldap/groups/administrator policies=administrator
>>>>
>>>> Success! Data written to: auth/ldap/groups/administrator
>>>
>>>
>>> Assigned user to the group:
>>>
>>>>
>>>> Success! Data written to: auth/ldap/users/david...@domain.tld
>>>
>>>
>>> And attempted authentication:
>>>
>>>> VAULT_ADDR=https://domain.tld:8200 vault auth -method=ldap
>>>> username=david...@domain.tld
>>>
>>> And attempted authentication:
>>>
>>>> VAULT_ADDR=https://domain.tld:8200 vault auth -method=ldap
>>>>
>>>> Password (will be hidden):
>>>>
>>>> Error making API request.
>>>>
>>>>
>>>> URL: PUT
>>>> https://domain.tld:8200/v1/auth/ldap/login/david...@domain.tld
>>>> Password (will be hidden):
>>>>
>>>> Error making API request.
>>>>
>>>>
>>>> URL: PUT
>>>>
>>>> Code: 400. Errors:
>>>>
>>>>
>>>> * invalid character '<' looking for beginning of value
>>>
>>>
>>> Audit logs:
>>>
>>>>
>>>> {"time":"2016-07-05T11:04:53Z","type":"response","error":"","auth":{"display_name":"","policies":null,"metadata":null},"request":{"operation":"update","client_token":"","path":"auth/ldap/login/david...@domain.tld","data":{"password":"hmac-sha256:8522******"},"remote_address":"86.168.***.***"},"response":{"secret":null,"data":{"error":"hmac-sha256:7bba******"},"redirect":""}}
>>>> Code: 400. Errors:
>>>>
>>>>
>>>> * invalid character '<' looking for beginning of value
>>>
>>>
>>> Audit logs:
>>>
>>>>
>>>
>>>
>>>
>>> I'd appreciate any help you can give here and/or any direction on how to
>>> enable some sort of debug logging to further diagnose the issue.
>>>
>>> Cheers
>>>
>>> David
>
> --
>>>
>>>
>>> I'd appreciate any help you can give here and/or any direction on how to
>>> enable some sort of debug logging to further diagnose the issue.
>>>
>>> Cheers
>>>
>>> David
>
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/5301c7bd-336f-4ef2-a9f9-7112f970de1c%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
David Busby
Jul 5, 2016, 10:25:20 AM7/5/16
to Vault
Hi Jeff,
Configuration follows, some details have been changed for privacy but largely the config has been left in tact,
vault read auth/ldap/config
Key Value
--- -----
binddn
bindpass
certificate
discoverdn false
groupdn
insecure_tls false
starttls true
upndomain
url ldaps://lprovider_domain.tld:636
userattr cn
userdn cn=email,ou=users,dc=domain,dc=provider_domain,dc=com
The provide_domain logs indicate successful login to LDAP fwiw.
Cheers
David
On Tuesday, July 5, 2016 at 3:21:04 PM UTC+1, Jeff Mitchell wrote:
Hi David,
It's hard to say what might be going on without any sort of idea of
your configuration. The last error message suggests that logs from
your LDAP server might be useful as well...80 is defined as "This
indicates that some problem was encountered during processing that is
not covered by any of the other defined result codes (e.g., a server
error)."
Feel free to share your configuration and I can look and see if
anything jumps out about it.
Best,
Jeff
On Tue, Jul 5, 2016 at 8:22 AM, David Busby <david...@percona.com> wrote:
> Performed a rolling upgrade to vault 0.6.0 and received a new error message
> ...
>
>> PUT .../v1/auth/ldap/login/david.bu...@domain.tld
>>
>> Code: 400. Errors:
>> * LDAP fetch of
>> distinguishedName=cn=david.bu...@domain.tld,cn=email,ou=users,dc=****,dc=****,dc=com
>> failed: LDAP Result Code 80 "Other": Other
>
>
>
>
> On Tuesday, July 5, 2016 at 12:18:21 PM UTC+1, David Busby wrote:
>>
>> Vault version is 0.5.3; perhaps an upgrade is needed ?
>>
>> On Tuesday, July 5, 2016 at 12:15:37 PM UTC+1, David Busby wrote:
>>>
>>> Hello All,
>>>
>>> So in my continued effort to producing a Vault PoC deployment I'm
>>> tackling LDAP integration
>>>
>>> However I have run into an oddity and would appreciate if someone could
>>> let me know if there is any settings changes I can make to enable debug logs
>>> ?
>>>
>>> Created groups:
>>>
>>>> vault write auth/ldap/groups/administrator policies=administrator
>>>>
>>>> Success! Data written to: auth/ldap/groups/administrator
>>>
>>>
>>> Assigned user to the group:
>>>
>>>> vault write auth/ldap/users/david.busby@domain.tld groups=administrator
>>>>
>>>> Success! Data written to: auth/ldap/users/david.busby@domain.tld
>>>
>>>
>>> And attempted authentication:
>>>
>>>> VAULT_ADDR=https://domain.tld:8200 vault auth -method=ldap
>>>> username=david.busby@domain.tld
>>>>
>>>> Password (will be hidden):
>>>>
>>>> Error making API request.
>>>>
>>>>
>>>> URL: PUT
>>>>
>>>> Code: 400. Errors:
>>>>
>>>>
>>>> * invalid character '<' looking for beginning of value
>>>
>>>
>>> Audit logs:
>>>
>>>>
>>>> {"time":"2016-07-05T11:04:53Z","type":"response","error":"","auth":{"display_name":"","policies":null,"metadata":null},"request":{"operation":"update","client_token":"","path":"auth/ldap/login/david.bu...@domain.tld","data":{"password":"hmac-sha256:8522******"},"remote_address":"86.168.***.***"},"response":{"secret":null,"data":{"error":"hmac-sha256:7bba******"},"redirect":""}}
Jeff Mitchell
Jul 5, 2016, 12:10:47 PM7/5/16
to vault...@googlegroups.com
On Tue, Jul 5, 2016 at 10:25 AM, David Busby <david...@percona.com> wrote:
>> vault read auth/ldap/config
>>
>> Key Value
>>
>> --- -----
>>
>> binddn
>>
>> bindpass
>>
>> certificate
>>
>> discoverdn false
>>
>> groupdn
>>
>> insecure_tls false
>>
>> starttls true
>>
>> upndomain
>>
>> url ldaps://lprovider_domain.tld:636
>>
>> userattr cn
>>
>> userdn cn=email,ou=users,dc=domain,dc=provider_domain,dc=com
>
>
>
> The provide_domain logs indicate successful login to LDAP fwiw.
That's not necessarily indicative; you're using anonymous login here
>> vault read auth/ldap/config
>>
>> Key Value
>>
>> --- -----
>>
>> binddn
>>
>> bindpass
>>
>> certificate
>>
>> discoverdn false
>>
>> groupdn
>>
>> insecure_tls false
>>
>> starttls true
>>
>> upndomain
>>
>> url ldaps://lprovider_domain.tld:636
>>
>> userattr cn
>>
>> userdn cn=email,ou=users,dc=domain,dc=provider_domain,dc=com
>
>
>
> The provide_domain logs indicate successful login to LDAP fwiw.
but often that doesn't then let you reauthenticate as a different
user. It's really pretty uncommon *not* to require a binddn/bindpass.
There's also no information here about how Vault should search for
groups -- groupdn isn't set, etc.
I'd recommend ensuring that you can successfully find parameters that
work with ldapsearch from the command line to log in, authenticate as
the given user, and return a set of groups. You can see the logic, and
the filters that Vault uses, here:
https://github.com/hashicorp/vault/blob/master/builtin/credential/ldap/backend.go#L215
Best,
Jeff
David Adams
Jul 5, 2016, 2:08:26 PM7/5/16
to vault...@googlegroups.com
Your userdn looks suspicious to me: `cn=email,ou=users,dc=domain,dc=provider_domain,dc=com`.
Your error message indicated that `distinguishedName=cn=david...@domain.tld,cn=email,ou=users,dc=****,dc=****,dc=com` is an invalid DN. It's unusual to have two `cn=` fields in a DN, so I am guessing if you take out the leading `cn=email,` that it may work for you. In other words, in the Vault config for that auth provider, you would want `userdn` to be set to `ou=users,dc=domain,dc=provider_domain,dc=com`.
Hope this is helpful.
-dave
>> PUT .../v1/auth/ldap/login/david...@domain.tld
>>
>> Code: 400. Errors:
>> * LDAP fetch of
>> distinguishedName=cn=david...@domain.tld,cn=email,ou=users,dc=****,dc=****,dc=com
>> failed: LDAP Result Code 80 "Other": Other
>
>
>
>
> On Tuesday, July 5, 2016 at 12:18:21 PM UTC+1, David Busby wrote:
>>
>> Vault version is 0.5.3; perhaps an upgrade is needed ?
>>
>> On Tuesday, July 5, 2016 at 12:15:37 PM UTC+1, David Busby wrote:
>>>
>>> Hello All,
>>>
>>> So in my continued effort to producing a Vault PoC deployment I'm
>>> tackling LDAP integration
>>>
>>> However I have run into an oddity and would appreciate if someone could
>>> let me know if there is any settings changes I can make to enable debug logs
>>> ?
>>>
>>> Created groups:
>>>
>>>> vault write auth/ldap/groups/administrator policies=administrator
>>>>
>>>> Success! Data written to: auth/ldap/groups/administrator
>>>
>>>
>>> Assigned user to the group:
>>>
>>>> vault write auth/ldap/users/david...@domain.tld groups=administrator
>>>>
>>>> Success! Data written to: auth/ldap/users/david...@domain.tld
>>>
>>>
>>> And attempted authentication:
>>>
>>>> VAULT_ADDR=https://domain.tld:8200 vault auth -method=ldap
>>>> username=david...@domain.tld
>>>>
>>>> Password (will be hidden):
>>>>
>>>> Error making API request.
>>>>
>>>>
>>>> URL: PUT
>>>>
>>>> Code: 400. Errors:
>>>>
>>>>
>>>> * invalid character '<' looking for beginning of value
>>>
>>>
>>> Audit logs:
>>>
>>>>
>>>> {"time":"2016-07-05T11:04:53Z","type":"response","error":"","auth":{"display_name":"","policies":null,"metadata":null},"request":{"operation":"update","client_token":"","path":"auth/ldap/login/david...@domain.tld","data":{"password":"hmac-sha256:8522******"},"remote_address":"86.168.***.***"},"response":{"secret":null,"data":{"error":"hmac-sha256:7bba******"},"redirect":""}}
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c79b1bdd-7fc2-4720-b40b-0c50a880e6e3%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages