Unable to rotate passwords for root-user or ldap library service accounts

We have been dealing with an issue where we cannot rotate any passwords via the LDAP secrets engine. This includes the bind user and the service accounts we have as a part of a library.

When executing rotate-root commands, the first two times you run that command it will succeed, but the 3rd time it will fail due to both the new and old passwords not working.

When it comes to check-ins and check-outs for users in the library, from vault’s perspective everything seems to go through just fine. However, on the LDAP side, it doesn’t seem like the new password is being applied.

So in all, this is what we are seeing:

  • rotate-root commands will succeed the first two times, but fail on the 3rd time
  • Check-ins do not seem to successfully change the service account passwords
  • When performing a rotate-root command or a check-in, it seems like whenChanged and userPassword fields in Active Directory successfully update, but pwdLastSet doesn’t appear to change.
  • We performed an upgrade 7/11/2023 to 1.13.4 and everything seemed to be working just fine in regards to user check-in/out and rotate-root commands. Problems started to appear 8/8/2023.
1 Like

So we did find the issue. Our schema was originally set to ad but for some reason, it was set back to the default value of openldap. We looked back at the logs and didn’t see a single log entry that would point to someone going in and modifying that particular setting. Very odd that it reverted somehow.

Is there any way to maybe figure out why it was reset to the default value?