Vault doesnt connect to ldap

After installing Vault in my K8s cluster, i did initialize and unseal the vault

now my pod is running and everything seems to be ok and i have a root token so i can login with

i want to enable ldap and let my users connect with their signums

following this page to configure

i did write the ldap config

/vault $ vault read auth/ldap/config
Key Value

binddn CN=<>,OU=CA,OU=SvcAccount,OU=P001,OU=ID,OU=Data,DC=<>,DC=<>
case_sensitive_names false
certificate n/a
deny_null_bind true
discoverdn false
groupattr cn
groupdn OU=groups,dc=<>,dc=<>
groupfilter (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls false
starttls true
tls_max_version tls12
tls_min_version tls11
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_ttl 0s
token_type default
upndomain <>
url ldaps://<>:3269
use_pre111_group_cn_behavior false
use_token_groups false
userattr cn
userdn OU=CA,OU=SvcAccount,OU=P001,OU=ID,OU=Data,DC=<>,DC=<>

trying to login it cannot connect and getting this error

error connecting to host “ldaps://ldap-ip:3269”: LDAP Result Code 200 “Network Error”: read tcp CLUSTER_INTERNAL_IP:39378->LDAP_IP:3269: read: connection reset by peer

i dont have ldap-certificate and not sure if is mandatory to have

i used to connect to this ldap server using ssl

but apparently vault uses TLS to connect

any idea?

Vault will do what you tell it to do. In your configuration the URL is a ldaps://<>:3269 make it just ldap:// (no S after ldap) and Vault will use plain old ldap

tried with non secure and its giving different error

1 error occurred:
* error connecting to host “ldap://<>:3269”: unable to read LDAP response packet: read tcp CLUSTER_INTERNAL_IP:39378->LDAP_IP:3269 read: connection reset by peer

and if we want to keep ldaps the certificate is mandatory in this case?

Vault connects to LDAP just like any other LDAP enabled software. Whether you should use a secure connection or not does not depend on Vault, but your LDAP server.

What I usually do is connect with a LDAP client like Apache Directory Studio : Use the LDAP user account and password you will give to Vault, search for users and groups.

Once you find the parameters that work, copy them over to your Vault configuration.

yes i have tried Apache Directory Studio and got the parameters work
so i can connect successfully and search through my parameters

i think the issue is with the Vault pod

i am running Vault inside K8s and looks like from the pod i cannot connect to the ldap server with telnet although i can telnet from the node where the pod is deployed

ps: i dont have any kind of proxy that restrict the communication inside my cluster