AD Secrets Engine - Adding multiple service accounts to library

Hello,

I believe I found a bug with the AD secrets engine but before submitting I’d like to verify that my syntax is correct.

According to the docs here. I should be able to add two service accounts into this library for checkout. Ex:

vault write ad/library/netrunner-ro \
    service_account_names="runner-ro1@mydomain.local,runner-ro2@mydomain.local" \
    ttl=1h \
    max_ttl=10h \
    disable_check_in_enforcement=false

That matches the documentation example as far as I can tell. Unfortunately, whenever I enter more than a single service account I am presented with the error:

Error writing data to ad/library/netrunner-ro: Error making API request.

URL: PUT https://rh-vault:8201/v1/ad/library/netrunner-ro
Code: 500. Errors:

* 1 error occurred:
	* filter of map[userPrincipalName:[runner-ro2@mydomain.local]] doesn't match just one entry: [

Does anyone see something wrong with my syntax or should I submit this to GitHub issues?

Thank you kindly,

I have not tried the AD secrets engine yet, but that calls seems suspect to me. 8201 is not a port that a service would call normally – at least it isn’t one that the other secrets engines use. That should read rh-vault:8200/v1 … I think. Check your configuration to make sure you didn’t use 8201 as your api address.

This error message appears to be truncated, is there more?

It also appears to be implying an LDAP search for userPrincipalName=runner-ro2@mydomain.local might have returned multiple results - check this using whichever general LDAP client you prefer.

Thanks everyone. Turns out the UPN didn’t match the samaccountname. Changing the fields in AD to match resolved the issue for me. This was an AD issue and not a vault issue.