Hi All,
I’m trying to add an AD auth via LDAP for a vault 1.21.3 instance and I used this command to add the authentication:
/usr/local/vault/bin/vault write auth/ldap/config
url=“ldaps://ad.test.local:3269”
userdn=“DC=city,DC=work,DC=test,DC=local”
binddn=“CN=user,OU=ApplicationUsers,OU=Users,OU=work fine,DC=city,DC=work,DC=test,DC=local” \
bindpass=“password”
groupdn=“OU=DL,OU=Exchange,OU=work fine,DC=city,DC=work,DC=test,DC=local” \
groupfilter=“(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))” \
groupattr=“cn” \
userattr=“sAMAccountName” \
userfilter=“(&(objectClass=user)(objectCategory=person)({{.UserAttr}}={{.Username}}))”
insecure_tls=true
starttls=false
certificate=“”
lockout_threshold=0 \
lockout_duration=“1s”
I created a full admin policy:
/usr/local/vault/bin/vault policy write admins - <<EOF
path “*” {
capabilities = [“create”, “read”, “update”, “delete”, “list”, “sudo”]
}
EOF
I mapped the group and user with the admin policies:
/usr/local/vault/bin/vault write auth/ldap/groups/DL_Group policies=“admins,default”
/usr/local/vault/bin/vault write auth/ldap/users/usertest policies=“admins,default”
In same cases I received invalid credentials with 2026-02-25T18:04:06.462+0100 [DEBUG] auth.ldap.auth_ldap_908c5d5c: error getting user bind DN: usertest=error EXTRA_VALUE_AT_END=“ldap.(Client).Authenticate: discovery of user bind DN failed: LDAP search for binddn 0 or not unique”, but in other cases I received 2026-02-25T17:43:45.859+0100 [ERROR] core: login attempts exceeded, user is locked out: request_path=auth/ldap/login/usertest.
Could you help us to define the correct config?
Thanks,
Marcello