Active Directory Custom Password Policy error 500

Vault
1

I am trying to set a custom password policy with AD secret engine on Vault v1.5.3 but getting error 500 “cannot set password_policy and either length or formatter”
based on the code and documentation, formatter is depreciated in this version.

vault write ad/config \
    binddn='CN=svc-user,OU=Users,DC=abc,DC=com' \
    bindpass='p@ssw0rd' \
    url=ldaps://LDAP.abc.com \
    userdn='dc=abc,dc=com' \
    insecure_tls=true \
    password_policy="password-policy"

Error writing data to ad/config: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/ad/config
Code: 500. Errors:

* 1 error occurred:
    * cannot set password_policy and either length or formatter

$ vault read sys/policies/password/password-policy
Key       Value
---       -----
policy    length = 20

rule "charset" {
  charset = "abcdefghijklmnopqrstuvwxyz"
  min-chars = 1
}
rule "charset" {
  charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  min-chars = 1
}
rule "charset" {
  charset = "0123456789"
  min-chars = 2
}
rule "charset" {
  charset = "!@#$%^&*"
  min-chars = 2
}
1 Like
2

Hello,

Would you try to add the length parameter, I know it does not sound logical, like this :

vault write ad/config \
    binddn='CN=svc-user,OU=Users,DC=abc,DC=com' \
    bindpass='p@ssw0rd' \
    url=ldaps://LDAP.abc.com \
    userdn='dc=abc,dc=com' \
    insecure_tls=true \
    password_policy="password-policy" \
    length=0

Kind regards,
Martin

3

Thank you Martin. I noticed there was a fix in v.1.6.0 for password policy.
After upgrading to that version, custom password policy is working.

1 Like