Vault doesnt connect to ldap

ealiass · May 14, 2020, 3:55pm

After installing Vault in my K8s cluster, i did initialize and unseal the vault

now my pod is running and everything seems to be ok and i have a root token so i can login with

i want to enable ldap and let my users connect with their signums

following this page https://www.vaultproject.io/docs/auth/ldap to configure

i did write the ldap config

/vault $ vault read auth/ldap/config
Key Value

binddn CN=<>,OU=CA,OU=SvcAccount,OU=P001,OU=ID,OU=Data,DC=<>,DC=<>
case_sensitive_names false
certificate n/a
deny_null_bind true
discoverdn false
groupattr cn
groupdn OU=groups,dc=<>,dc=<>
groupfilter (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls false
starttls true
tls_max_version tls12
tls_min_version tls11
token_bound_cidrs
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies
token_ttl 0s
token_type default
upndomain <>
url ldaps://<>:3269
use_pre111_group_cn_behavior false
use_token_groups false
userattr cn
userdn OU=CA,OU=SvcAccount,OU=P001,OU=ID,OU=Data,DC=<>,DC=<>

trying to login it cannot connect and getting this error

error connecting to host “ldaps://ldap-ip:3269”: LDAP Result Code 200 “Network Error”: read tcp CLUSTER_INTERNAL_IP:39378->LDAP_IP:3269: read: connection reset by peer

i dont have ldap-certificate and not sure if is mandatory to have

i used to connect to this ldap server using ssl

but apparently vault uses TLS to connect

any idea?

ixe013 · May 15, 2020, 12:05pm

Vault will do what you tell it to do. In your configuration the URL is a ldaps://<>:3269 make it just ldap://fully-qualified.ldap.server.host.name:3269 (no S after ldap) and Vault will use plain old ldap

ealiass · May 15, 2020, 2:21pm

tried with non secure and its giving different error

1 error occurred:
* error connecting to host “ldap://<>:3269”: unable to read LDAP response packet: read tcp CLUSTER_INTERNAL_IP:39378->LDAP_IP:3269 read: connection reset by peer

and if we want to keep ldaps the certificate is mandatory in this case?

ixe013 · May 18, 2020, 1:22am

Vault connects to LDAP just like any other LDAP enabled software. Whether you should use a secure connection or not does not depend on Vault, but your LDAP server.

What I usually do is connect with a LDAP client like Apache Directory Studio : http://directory.apache.org/studio/downloads.html. Use the LDAP user account and password you will give to Vault, search for users and groups.

Once you find the parameters that work, copy them over to your Vault configuration.

ealiass · May 20, 2020, 7:58pm

yes i have tried Apache Directory Studio and got the parameters work
so i can connect successfully and search through my parameters

i think the issue is with the Vault pod

i am running Vault inside K8s and looks like from the pod i cannot connect to the ldap server with telnet although i can telnet from the node where the pod is deployed

ps: i dont have any kind of proxy that restrict the communication inside my cluster