Unable to login with same user that is used to LDAP bind with

Been hacking at this problem for 2 days now.

This same user I am using in Vault LDAP config to binddn with (including dn and password) is unable to login to Vault using LDAP.

Here is proof this user can bind to ldap and find itself:

$ ldapsearch -H ldap://ldap.mycompany.com -D "CN=svc-hwinf-vlt-test,OU=Service Accounts,OU=Accounts,DC=mycompany,DC=com" -W -b "dc=mycompany,dc=com" -s sub "(&(objectclass=Person)(cn=svc-hwinf-vlt-test))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=mycompany,dc=com> with scope subtree
# filter: (&(objectclass=Person)(cn=svc-hwinf-vlt-test))
# requesting: ALL
#
# svc-hwinf-vlt-test, Service Accounts, Accounts, mycompany.com
dn: CN=svc-hwinf-vlt-test,OU=Service Accounts,OU=Accounts,DC=mycompany,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: svc-hwinf-vlt-test

Here is my Vault LDAP config:

binddn: "CN=svc-hwinf-vlt-test,OU=Service Accounts,OU=Accounts,DC=mycompany,DC=com"
case_sensitive_names: false
certificate: ""
deny_null_bind: true
discoverdn: true
groupattr: "cn"
groupdn: "OU=GroupID,OU=Groups,DC=mycompany,DC=com"
groupfilter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"
insecure_tls: true
starttls: false
tls_max_version: "tls12"
tls_min_version: "tls11"
token_bound_cidrs: []
token_explicit_max_ttl: 3600
token_max_ttl: 3600
token_no_default_policy: false
token_num_uses: 0
token_period: 3600
token_policies: []
token_ttl: 3600
token_type: "default"
upndomain: ""
url: "ldap://ldap.mycompany.com,ldap://ldaphq.mycompany.com,ldap://ldap.gtm.mycompany.com/"
use_pre111_group_cn_behavior: false
use_token_groups: false
userattr: "samaccountname"
userdn: "ou=Accounts,dc=mycompany,dc=com"

When I login as another account, it’s successful:

$ vault login -tls-skip-verify -method=ldap username=anotheruser
Password (will be hidden): 
Success! You are now authenticated.

But when I try to login as the same account I’m using as a binddn it errors:

$ vault login -tls-skip-verify -method=ldap username=svc-hwinf-vlt-test
Password (will be hidden): 
Error authenticating: context deadline exceeded

This does not make sense to me, what is going on?

That could be a timeout hiding the real message. Do you see the context deadline exceeded after 30 or 60 seconds?
Try
export VAULT_CLIENT_TIMEOUT=120
and see if you get a different error message.

How many groups does this account belong to?

After trying your timeout suggestion I do see that NGINX was timing out retrieving a response from Vault.
However, I tried logging in directly to vault without the NGINX reverse proxy and it still timed out with this error:

Authentication failed: LDAP search failed: LDAP Result Code 3 "Time Limit Exceeded"

This account only belongs to 2 groups

Is the user that works and the bind user part of the same groups?

What does the log on the LDAP server show during this time?
The return - LDAP search failed: LDAP Result Code 3 - is from the LDAP server, I believe, which most AD/LDAPs are 120 seconds.

Mike, thanks for all the help. I don’t know for sure what was going on, but suddenly the auth is working just fine now through LDAP. I think possibly there was an issue with our LDAP server and it is resolved now. I’m still mystified why users with larger group lists seemed to be able to auth after around 30 seconds but users with only 2 groups were timing out.

Glad its working - you might try narrowing down the scope of it, any chance this could be tightened down? Might be a perf thing/load…

userdn: "ou=Accounts,dc=mycompany,dc=com"