Vault 1.9: No more group-inherited identity policies attached to LDAP-user after upgrade from 1.8

dietmarb01 · November 26, 2021, 11:11am

Hi,

there seems to be a “breaking change” in 1.9 that I have overlooked:

We use entities with associated LDAP-based users (aliases). Entities are members of groups and groups have policies attached to them. All of them are maintained by Terraform.
Database-backend is RAFT (for ease of backup), single-node “cluster”, running on Debian 11.

LDAP login to Vault 1.8.4 returns a full set of policies attached to the token:

Key Value

token_policies [“default”]
identity_policies [ “vault-mgrs_policy” “viewonly-admin-policy”]
policies [“default” “vault-mgrs_policy” “viewonly-admin-policy”]

After upgrading to Vault 1.9 by using apt-get and unsealing, users that login via LDAP have only the “default” policy attached to their token, but no more policies that should have been inherited from group membership of the associated entity.

Key Value

token_policies [“default”]
identity_policies
policies [“default”]

How can we get back to the previous behavior, other than by downgrading Vault ? Luckily that works, but it’s not a forward-looking solution…

aram · November 26, 2021, 9:39pm

Thanks for this, we’re heavily using this in our environment. I’ll test it out in the next week or so in the lab environment to make sure.

dietmarb01 · December 31, 2021, 9:33am

Has anyone lese also observerd this behavior? I attempted an upgrade to 1.9.1, but the behavior remains the same:

Token after login with alias from user/pass associated with an entity that is member of one or more groups receives the policies of the groups,
Token after login with alias from LDAP associated with an entity that is member of one or more groups has only the default policiy.

Could I have overlooked something in the configuration?

dietmarb01 · February 18, 2022, 7:32am

I have finally found the root cause:

with Vault 1.8, you can use the LDAP username as an entity-alias (which is what I did);
starting with Vault 1.9, you have to use the full DN of the LDAP user to associate an LDAP login with an entity as an alias.

I discovered this through auto-created “unnamed” entities (e.g. entity_123456) upon successful LDAP login; these had the DN as an alias.

The doc at LDAP - Auth Methods | Vault by HashiCorp only discusses direct mapping from an LDAP-entity to groups and policies; no mention of entity-alaises.

The example shown in Identity | Vault by HashiCorp (vaultproject.io) is IMHO outdated – it shows a name of “bsmith” while with 1.9+ it would have to be something like “cn=bsmith,ou=users,dc=example,dc=com”