Hi folks. the documentation and various examples show that once the LDAP auth has been configured, it is possible to change the bind password using auth/ldap/rotate-root
. There is no mention of any restrictions or limitations that I can find.
However, when I run vault write -f auth/ldap/rotate-root
(with the root token) I get back an error (see below).
There is no information to indicate if the error is coming from Active Directory, or from Vault, so I have very little information to work off. 404 certainly implies the endpoint doesn’t exist - I would expect other codes if it was configuration or backend issues.
Error writing data to auth/ldap/rotate-root: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/auth/ldap/rotate-root
Code: 404. Errors:
* 1 error occurred:
* unsupported path
vault auth list
:
Path Type Accessor Description Version
---- ---- -------- ----------- -------
ldap/ ldap auth_ldap_e385c3eb n/a n/a
token/ token auth_token_86c4a4f7 token based credentials n/a
vault read auth/ldap/config
:
Key Value
--- -----
anonymous_group_search false
binddn CN=vault-ldap,OU=Service Accounts,OU=myou,DC=test,DC=local
case_sensitive_names false
certificate -----BEGIN CERTIFICATE-----<snip>-----END CERTIFICATE-----
connection_timeout 30
deny_null_bind true
dereference_aliases never
disable_automated_rotation false
discoverdn false
enable_samaccountname_login false
groupattr cn
groupdn OU=groups,OU=myou,DC=test,DC=local
groupfilter (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls false
max_page_size 0
password_policy n/a
request_timeout 90
rotation_period 0s
rotation_schedule n/a
rotation_window 0
starttls false
tls_max_version tls12
tls_min_version tls12
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
upndomain test.local
url ldaps://dc1.test.local:636,ldaps://dc2.test.local:636
use_pre111_group_cn_behavior false
use_token_groups false
userattr userprincipalname
userdn OU=users,OU=myou,DC=test,DC=local
userfilter ({{.UserAttr}}={{.Username}})
username_as_alias false