Problems with group search; UserDN is null

Hi

I am integrating Vault with our Active Directory. I got the user authentication to work to some extent, but the searching for user’s groups fails. I think that the reason is that the UserDN gets NULL value. The log entries look like this:

Jan 13 11:15:41 server1 vault[85908]: 2020-01-13T11:15:41.214+0200 [DEBUG] auth.ldap.auth_ldap_f06beda3: discovering user: userdn=OU=Hosting,DC=xxx,DC=yyy,DC=zz filter=(samaccountname=joedoe)
Jan 13 11:15:41 server1 vault[85908]: 2020-01-13T11:15:41.257+0200 [DEBUG] auth.ldap.auth_ldap_f06beda3: user binddn fetched: username=joedoe binddn=“CN=Doe, Joe (joedoe),OU=Users,OU=FI,OU=TS,OU=Hosting,DC=xxx,DC=yyy,DC=zz”
Jan 13 11:15:41 server1 vault[85908]: 2020-01-13T11:15:41.285+0200 [DEBUG] auth.ldap.auth_ldap_f06beda3: re-bound to original binddn
Jan 13 11:15:41 server1 vault[85908]: 2020-01-13T11:15:41.285+0200 [DEBUG] auth.ldap.auth_ldap_f06beda3: searching upn: userdn=OU=Hosting,DC=xxx,DC=yyy,DC=zz filter="(userPrincipalName=CN=Doe\5c, Joe \28joedoe\29,OU=Users,OU=FI,OU=TS,OU=Hosting,DC=xxx,DC=yyy,DC=zz)"
Jan 13 11:15:41 server1 vault[85908]: 2020-01-13T11:15:41.296+0200 [DEBUG] auth.ldap.auth_ldap_f06beda3: compiling group filter: group_filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
Jan 13 11:15:41 server1 vault[85908]: 2020-01-13T11:15:41.296+0200 [DEBUG] auth.ldap.auth_ldap_f06beda3: searching: groupdn=OU=IDM,OU=Admin rendered_query=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=))

As you can see in the last log entry, there’s no value for the “.UserDN”.

With tcpdump and WIreshark I can see following filter been used:

“Filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:=[NULL]))”

The ldap configuration looks like this:

Key Value


binddn user@xxx.yyy.zz
case_sensitive_names false
certificate n/a
deny_null_bind true
discoverdn false
groupattr cn
groupdn OU=IDM,OU=Admin
groupfilter (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
insecure_tls false
starttls false
tls_max_version tls12
tls_min_version tls12
token_bound_cidrs
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies
token_ttl 0s
token_type default
upndomain xxx.yyy.zz
url ldap://ldap.xxx.yyy.zz:389
use_pre111_group_cn_behavior false
use_token_groups false
userattr samaccountname
userdn OU=Hosting,DC=xxx,DC=yyy,DC=zz

When I use the default groupfilter value, the log looks like this:

Jan 13 13:40:42 server1 vault[85908]: 2020-01-13T13:40:42.768+0200 [DEBUG] auth.ldap.auth_ldap_f06beda3: compiling group filter: group_filter=(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
Jan 13 13:40:42 server1 vault[85908]: 2020-01-13T13:40:42.769+0200 [DEBUG] auth.ldap.auth_ldap_f06beda3: searching: groupdn=OU=IDM,OU=Admin rendered_query=(|(memberUid=joedoe)(member=)(uniqueMember=))

Again, the “.UserDN” seems to be empty, but then surprisingly with tcpdump/Wireshark I can see following filter been used:

Filter: (|(|(memberUid=joedoe)(member=joedoe))(uniqueMember=joedoe))

In this case the “.UserDN” gets a value, but it’s only shown in LDAP protocol level. But, anyways, the value would be wrong, since in our AD, the “member” attribute contains the DN of each member.

The question is, how should I configure the groupfilter correctly?

Br,
Marko