LDAP Auth rotate-root failing with unsupported path

Vault
1

Hi folks. the documentation and various examples show that once the LDAP auth has been configured, it is possible to change the bind password using auth/ldap/rotate-root. There is no mention of any restrictions or limitations that I can find.

However, when I run vault write -f auth/ldap/rotate-root (with the root token) I get back an error (see below).
There is no information to indicate if the error is coming from Active Directory, or from Vault, so I have very little information to work off. 404 certainly implies the endpoint doesn’t exist - I would expect other codes if it was configuration or backend issues.

Error writing data to auth/ldap/rotate-root: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/auth/ldap/rotate-root
Code: 404. Errors:

* 1 error occurred:
        * unsupported path

vault auth list:

Path      Type     Accessor               Description                Version
----      ----     --------               -----------                -------
ldap/     ldap     auth_ldap_e385c3eb     n/a                        n/a
token/    token    auth_token_86c4a4f7    token based credentials    n/a

vault read auth/ldap/config:

Key                             Value
---                             -----
anonymous_group_search          false
binddn                          CN=vault-ldap,OU=Service Accounts,OU=myou,DC=test,DC=local
case_sensitive_names            false
certificate                     -----BEGIN CERTIFICATE-----<snip>-----END CERTIFICATE-----
connection_timeout              30
deny_null_bind                  true
dereference_aliases             never
disable_automated_rotation      false
discoverdn                      false
enable_samaccountname_login     false
groupattr                       cn
groupdn                         OU=groups,OU=myou,DC=test,DC=local
groupfilter                     (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls                    false
max_page_size                   0
password_policy                 n/a
request_timeout                 90
rotation_period                 0s
rotation_schedule               n/a
rotation_window                 0
starttls                        false
tls_max_version                 tls12
tls_min_version                 tls12
token_bound_cidrs               []
token_explicit_max_ttl          0s
token_max_ttl                   0s
token_no_default_policy         false
token_num_uses                  0
token_period                    0s
token_policies                  []
token_ttl                       0s
token_type                      default
upndomain                       test.local
url                             ldaps://dc1.test.local:636,ldaps://dc2.test.local:636
use_pre111_group_cn_behavior    false
use_token_groups                false
userattr                        userprincipalname
userdn                          OU=users,OU=myou,DC=test,DC=local
userfilter                      ({{.UserAttr}}={{.Username}})
username_as_alias               false
2

It should be vault write -f auth/ldap/config/rotate-root

Strange, the documentation is wrong and the API documentation doesn’t mention the endpoint at all. But the source source reveals the path.

3

Thank you! That was it. I did raise it with my TAM yesterday, but not convinced they’ll remember to poke this to be changed :slight_smile:

Now I’m getting an “insufficient access” error, but I think thats on my AD side so I’ll dig into that. Delegating “Change Password” to my Bind user into the user’s OU doesn’t seem to be enough.

Code: 500. Errors:

  • 1 error occurred:
    • LDAP Result Code 50 “Insufficient Access Rights”: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
4

Just for posterity, confirmed as a problem at our AD end. I need to work out exactly what permissions to give the Bind user, because if they’re DomainAdmins, it “just works”.