LDAP Auth rotate-root failing with unsupported path

Hi folks. the documentation and various examples show that once the LDAP auth has been configured, it is possible to change the bind password using auth/ldap/rotate-root. There is no mention of any restrictions or limitations that I can find.

However, when I run vault write -f auth/ldap/rotate-root (with the root token) I get back an error (see below).
There is no information to indicate if the error is coming from Active Directory, or from Vault, so I have very little information to work off. 404 certainly implies the endpoint doesn’t exist - I would expect other codes if it was configuration or backend issues.

Error writing data to auth/ldap/rotate-root: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/auth/ldap/rotate-root
Code: 404. Errors:

* 1 error occurred:
        * unsupported path

vault auth list:

Path      Type     Accessor               Description                Version
----      ----     --------               -----------                -------
ldap/     ldap     auth_ldap_e385c3eb     n/a                        n/a
token/    token    auth_token_86c4a4f7    token based credentials    n/a

vault read auth/ldap/config:

Key                             Value
---                             -----
anonymous_group_search          false
binddn                          CN=vault-ldap,OU=Service Accounts,OU=myou,DC=test,DC=local
case_sensitive_names            false
certificate                     -----BEGIN CERTIFICATE-----<snip>-----END CERTIFICATE-----
connection_timeout              30
deny_null_bind                  true
dereference_aliases             never
disable_automated_rotation      false
discoverdn                      false
enable_samaccountname_login     false
groupattr                       cn
groupdn                         OU=groups,OU=myou,DC=test,DC=local
groupfilter                     (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls                    false
max_page_size                   0
password_policy                 n/a
request_timeout                 90
rotation_period                 0s
rotation_schedule               n/a
rotation_window                 0
starttls                        false
tls_max_version                 tls12
tls_min_version                 tls12
token_bound_cidrs               []
token_explicit_max_ttl          0s
token_max_ttl                   0s
token_no_default_policy         false
token_num_uses                  0
token_period                    0s
token_policies                  []
token_ttl                       0s
token_type                      default
upndomain                       test.local
url                             ldaps://dc1.test.local:636,ldaps://dc2.test.local:636
use_pre111_group_cn_behavior    false
use_token_groups                false
userattr                        userprincipalname
userdn                          OU=users,OU=myou,DC=test,DC=local
userfilter                      ({{.UserAttr}}={{.Username}})
username_as_alias               false

It should be vault write -f auth/ldap/config/rotate-root

Strange, the documentation is wrong and the API documentation doesn’t mention the endpoint at all. But the source source reveals the path.

Thank you! That was it. I did raise it with my TAM yesterday, but not convinced they’ll remember to poke this to be changed :slight_smile:

Now I’m getting an “insufficient access” error, but I think thats on my AD side so I’ll dig into that. Delegating “Change Password” to my Bind user into the user’s OU doesn’t seem to be enough.

Code: 500. Errors:

  • 1 error occurred:
    • LDAP Result Code 50 “Insufficient Access Rights”: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0