LDAP login not writing token to file

Describe the bug
We log in with vault login -method=ldap and we use Duo MFA. Recently it seems that logging in like this has stopped writing the token to the ~/.vault-token file, so additional vault operations do not complete. If I log into the Vault web interface, copy my token and use that with vault login, the file is written properly.

To Reproduce
Steps to reproduce the behavior:

Run vault login -method=ldap
Enter password and approve MFA push
Try to use any other vault commands and get 403 error, see that ~/.vault-token is missing.
Expected behavior
The file ~/.vault-token should be written with the token received from the LDAP login


Vault Server Version (retrieve with vault status): 1.12.1 (installed with Yum)
Vault CLI Version (retrieve with vault version): Vault v1.12.0 (558abfa75702b5dab4c98e86b802fb9aef43b0eb), built 2022-10-10T18:14:33Z
Server Operating System/Architecture: Redhat 7.9
Vault server configuration file(s):

Service started with /usr/bin/vault server -config=/etc/vault/config.json

“listener”: [
“tcp”: {
“address”: “:8200”,
“tls_cert_file”: “/etc/ssl/vault/vault.example.com.crt”,
“tls_key_file”: “/etc/ssl/vault/vault.example.com.key”
“storage”: {
“mysql”: {
“address”: “mysql.example.com”,
“database”: “vault”,
“table”: “vaultdata”,
“username”: “username”,
“password”: “password”
“ui”: true

First question, and it has bitten me more than once ( Damn Jenkins !!) - the user you are running the client as, does it have write access to the ~/.vault-token ?

There are options to not write ( -no-store ) - and only output with the command. ( https://developer.hashicorp.com/vault/docs/commands/login ). I swear there was also a config for it - but I cannot find it.

There is also Vault token helpers that can be configured:

Maybe one is configured.

Second Question - does it work if you remove the DuoMFA ?