LDAP operation failed: failed to bind as user

Anyone please help?

This is the trace level.

Trouble shooting the LDAP connection is a guessing game in my experience. My first guestt is the cn of your binddn. It looks like it has a space and a comma which you have tried to escape out. Can you test this with a cn that has no spaces or special characters to make sure that Vault is handling it correctly? I’d be surprised that the binddn is cn=Ahmed, Soofian since your username to log in is CN=soofian.ahmed.

I already tired cn=soofian.ahmed but it does not work.

Also, to test LDAP works fine with our AD, I have installed Softerra LDAP Administrator and configure AD with LDAP. It works fine with Softerra LDAP Administrator. I just give URL in configuration settings and login with my credentials. It logins successfully but with Vault I tried too much and not able to login.

So you got the bind dn to work using LDAP Administrator to bind to your Active Directory. But it would not work with Vault connecting to AD. And the only bind dn you have is Ahmed, Soofian? There is not another user that can search through AD that doesn’t have spaces?

Assuming network connectivity is good the things I can think of to investigate
UPN Domain: I have played with this before. Unfortunately it has been a while and I cannot find my setup.
Make sure your TLS settings are correct as it could deny it b/c of certificates.

I have tried everything you mentioned except certificate.

Finally, successfully authenticate with Authenticated Search binding method and following configurations:

vault write ad/config binddn=myuser bindpass=hellopass url=ldaps://ibexdc1v-adc02.corp.server.com userdn=‘OU=IT,OU=Users,OU=Karachi,OU=Sites,DC=corp,DC=server,DC=com’

vault write auth/ldap/config binddn="CN=myuser,OU=IT,OU=Users,OU=Karachi,OU=Sites,DC=corp,DC=server,DC=com"
groupdn=“CN=Insight.Dev,OU=Distros,OU=Groups,OU=Global,DC=corp,DC=server,DC=com” upndomain="corp.server.com"
url=“ldaps://ibexdc1v-adc02.corp.server.com” userdn="OU=IT,OU=Users,OU=Karachi,OU=Sites,DC=corp,DC=server,DC=com"
bindpass=“hellopass”

4 Likes

ldaps instead of ldap works for me! Thanks @soofian