Hi all,
We’re currently trying to setup the Vault Kerberos authentication method. While we got pretty far already, there’s still something wrong or missing.
We mainly followed Kerberos - Auth Methods | Vault | HashiCorp Developer.
The LDAP configuration is as follows:
vault write auth/kerberos/config/ldap binddn="uid=vault-dev,cn=users,cn=accounts,dc=example,dc=com" bindpass=<vault_dev_passwd> groupattr=memberOf groupdn="cn=groups,cn=accounts,dc=example,dc=com" userdn="cn=users,cn=accounts,dc=example,dc=com" userattr="uid" url="ldap://example.com"
Success! Data written to: auth/kerberos/config/ldap
When logging in with
vault login -method=kerberos username=foo service="vault-dev" realm=EXAMPLE.COM keytab_path=foo.keytab krb5conf_path=/etc/krb5.conf
We’re getting
Error authenticating: Error making API request.
URL: PUT https://vault.example.com:8200/v1/auth/kerberos/login
Code: 500. Errors:
* unable to get user binddn: LDAP search for binddn 0 or not unique
We can see in the logs that the SPNEGO auth has worked:
Dec 07 11:02:37 vault.example.com vault[416613]: 2022-12-07T11:02:37.188+0100 [INFO] auth.kerberos.auth_kerberos_03ef0948: 192.168.130.15:8080 foo@EXAMPLE.COM - SPNEGO authentication succeeded
Is there any way we can further troubleshoot this? There’s probably something in our LDAP lookup that’s wrong, but I didn’t find it yet.
Any help is appreciated!
Kind regards,
Thomas