Hi! I was reading this interesting article about attack your own vault.
I just follow the steps described in order to get a dump of vault memory process, then I played with some grep search and I found this:
This json represents an access token generated by LDAP auth method, with the username and password in cleartext. Right, all theses information is inside the Barrier, but i didn’t expect to find it there. Why Vault keep this password in memory if the authentication process has finished?
After that I execute a tcpdump in my LDAP in order to identify when Vault called ldap again, then I played around Vault, finally I found a called from Vault when I renewed the original access token.
Is this the expected behaviour?
I went through all the documentation and didn’t find anything about it.