there seems to be a “breaking change” in 1.9 that I have overlooked:
We use entities with associated LDAP-based users (aliases). Entities are members of groups and groups have policies attached to them. All of them are maintained by Terraform.
Database-backend is RAFT (for ease of backup), single-node “cluster”, running on Debian 11.
LDAP login to Vault 1.8.4 returns a full set of policies attached to the token:
After upgrading to Vault 1.9 by using apt-get and unsealing, users that login via LDAP have only the “default” policy attached to their token, but no more policies that should have been inherited from group membership of the associated entity.
The example shown in Identity | Vault by HashiCorp (vaultproject.io) is IMHO outdated – it shows a name of “bsmith” while with 1.9+ it would have to be something like “cn=bsmith,ou=users,dc=example,dc=com”