Can't rotate password since 1.15.5

Hello !

In a Vault Windows cluster, since upgrading from 1.15.4 to 1.15.5, we are unable to rotate Active Directory passwords anymore.

We are getting the following error : “errors”: [
“1 error occurred:\n\t* unable to finish rotating credentials; retries will continue in the background but it is also safe to retry manually: LDAP Result Code 201 "Filter Compile Error": ldap: invalid characters for escape in filter: encoding/hex: invalid byte: U+002C ‘,’\n\n”

Nothing was changed in the settings during the update.

The user and group filters are the default ones. There are no ‘,’ in them.

We do have several Active Directory servers specified. Using only 1 and thus removing the commas didn’t change the problem.

We tried to enable logs with >> log.txt 2>&1 but no error is logged.

We were unable to pinpoint the source of the error.
How can I debug my problem ?

Thank you !

If you’re an enterprise customer, then I’d suggest opening a case with HashiCorp Support.

Otherwise I’d suggest opening an issue in Vault’s GitHub issues:

In either case, it may be necessary to collect and review the debug logs:

Depending on your logging configuration the debug logs may contain sensitive information. Thoroughly review the logs before posting them anywhere untrusted.

ETA: Looks like you already created a GitHub issue: 1.15.5 regression : can't rotate Active Directory credentials anymore · Issue #25249 · hashicorp/vault · GitHub