I have finally found the root cause:
- with Vault 1.8, you can use the LDAP username as an entity-alias (which is what I did);
- starting with Vault 1.9, you have to use the full DN of the LDAP user to associate an LDAP login with an entity as an alias.
I discovered this through auto-created “unnamed” entities (e.g. entity_123456) upon successful LDAP login; these had the DN as an alias.
The doc at LDAP - Auth Methods | Vault by HashiCorp only discusses direct mapping from an LDAP-entity to groups and policies; no mention of entity-alaises.
The example shown in Identity | Vault by HashiCorp (vaultproject.io) is IMHO outdated – it shows a name of “bsmith” while with 1.9+ it would have to be something like “cn=bsmith,ou=users,dc=example,dc=com”