I seem to have an odd issue and am wondering if anyone else has seen anything like this…
I have a kv secret engine that I’d like to grand access to the “domain admins” group, so I created a policy granting all rights to that engine, then ran:
This seemed to have worked OK, worked for me, worked for my colleague, didn’t work for another colleague. Worked for one colleague in a different site, but not another!
I enabled auditing, but that hasn’t helped. I can see the default policy and my-policy against my account, but not for one that doesn’t work.
I looked at the Windows security groups in case of some kind of inheritance issues, but nothing there.
A thought just occurred: Is there a limit to the number of users/policies/groups in the free version?
No limits on the community edition - if its available its functional.
On the specific problem you’re facing - what is your LDAP auth method config look like? Is it possible some LDAP attribute you’re using is not available on their accounts? Do you have more than one auth method and have you verified they are logging in with LDAP and not say (for example) userpass? What version of Vault are you running?
Well the good news - you have accounts that work, and accounts that don’t work so you have something to compare as long as the working/non-working accounts stay consistent in that behavior.
If you can get an error from your Vault logs, might be able to narrow that down further. For example