Vault 1.9: No more group-inherited identity policies attached to LDAP-user after upgrade from 1.8

Hi,

there seems to be a “breaking change” in 1.9 that I have overlooked:

We use entities with associated LDAP-based users (aliases). Entities are members of groups and groups have policies attached to them. All of them are maintained by Terraform.
Database-backend is RAFT (for ease of backup), single-node “cluster”, running on Debian 11.

LDAP login to Vault 1.8.4 returns a full set of policies attached to the token:

Key Value


token_policies [“default”]
identity_policies [ “vault-mgrs_policy” “viewonly-admin-policy”]
policies [“default” “vault-mgrs_policy” “viewonly-admin-policy”]

After upgrading to Vault 1.9 by using apt-get and unsealing, users that login via LDAP have only the “default” policy attached to their token, but no more policies that should have been inherited from group membership of the associated entity.

Key Value


token_policies [“default”]
identity_policies
policies [“default”]

How can we get back to the previous behavior, other than by downgrading Vault ? Luckily that works, but it’s not a forward-looking solution…

Thanks for this, we’re heavily using this in our environment. I’ll test it out in the next week or so in the lab environment to make sure.

Has anyone lese also observerd this behavior? I attempted an upgrade to 1.9.1, but the behavior remains the same:

  • Token after login with alias from user/pass associated with an entity that is member of one or more groups receives the policies of the groups,
  • Token after login with alias from LDAP associated with an entity that is member of one or more groups has only the default policiy.

Could I have overlooked something in the configuration?