Vault AD Secrets engine

Trying to follow the readme file for setting up the AD engine. Tried the following:

vault secrets enable ad
# Example userdn if your users are in the default "Users" folder:
# userdn="CN=Users,DC=example,DC=net"

export USERNAME=YOUR-VAULT-USERNAME-IN-AD@YOUR-AD-ROOT-DOMAIN
export PASSWORD=YOUR-VAULT-USER-IN-AD-PASSWORD

vault write ad/config     binddn=$USERNAME     bindpass=$PASSWORD     url=ldaps://YOUR-AD-ROOT-DOMAIN-HERE     userdn="SEE-EXAMPLE-ABOVE" certificate=@PATH-TO-CERTIFICATE

vault write ad/roles/ROLE-NAME  service_account_name="USER-NAME@YOUR-AD-ROOT-DOMAIN"

completes fine to this point 

vault read ad/creds/ROLE-NAME
# On the first execution, previous password won't be shown.

On the last step, get the following error:

Error writing data to ad/library/PDQ: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/ad/library/PDQ
Code: 500. Errors:

• 1 error occurred:
  * LDAP Result Code 50 “Insufficient Access Rights”: 00000005: SecErr: DSID-031A11ED, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

For the account being used, permissions were delegated in AD

Edit 1:

These are the commands that were run:

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN="token"

vault secrets enable ad

vault write ad/config binddn=*cnOfServiceAccount* bindpass=*PASSWORD* url=ldaps://IPofDC userdn="CN of OU where service account is located"

vault write ad/roles/my-application  service_account_name="accountUsedtoBind"

completes fine to this point 

vault write ad/library/PDQ service_account_names=accountsToCheckOut ttl=2h max_ttl=3h

After this step, produces the error:

Error writing data to ad/library/PDQ: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/ad/library/PDQ
Code: 500. Errors:

* 1 error occurred:
        * LDAP Result Code 50 "Insufficient Access Rights": 00000005: SecErr: DSID-031A11ED, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

No-one should be setting up new configurations of the AD secrets engine now, because it is deprecated and planned to be removed. It is replaced by the LDAP secrets engine which provides broadly similar functionality, for the most part.

When asking for help, it is important to accurately describe what you are doing. However the URL-paths don’t match, between the commands you said you ran, and the error message you have shown.

Lastly… the error message is clearly AD denying the operation. Therefore it seems the permissions haven’t been set up as expected in AD. There’s nothing you can change on the Vault side to fix that.

Hey there @maxb - thanks for the response! Added edit to show the commands we were trying.

Yes, AD secrets is deprecated but will in maintenance mode for the next couple major releases - idea was to get it working and migrate to LDAP secrets engine.

On the AD side, the following permissions were delegated to the account that is connecting vault and AD. Change Password" and “Reset Password” and “Read userAccountControl” and “Write userAccountControl”. Are there other permissions that should be delegated?

This really does not make sense. You should go directly to the LDAP secrets engine. The initial setup effort should be comparable, and there is no smooth migration path from one to the other.

I’m not able to answer this part, I’ve only interacted with AD administered by a separate team.

@maxb - took your initial advice about going with the LDAP secrets engine and have it somewhat setup - working through cert issues now. Appreciate the help!