Vault kerberos authentication LDAP binddn lookup fails

Hi all,

We’re currently trying to setup the Vault Kerberos authentication method. While we got pretty far already, there’s still something wrong or missing.

We mainly followed Kerberos - Auth Methods | Vault | HashiCorp Developer.

The LDAP configuration is as follows:

vault write auth/kerberos/config/ldap binddn="uid=vault-dev,cn=users,cn=accounts,dc=example,dc=com" bindpass=<vault_dev_passwd> groupattr=memberOf groupdn="cn=groups,cn=accounts,dc=example,dc=com" userdn="cn=users,cn=accounts,dc=example,dc=com" userattr="uid" url="ldap://"
Success! Data written to: auth/kerberos/config/ldap

When logging in with

vault login -method=kerberos username=foo service="vault-dev" realm=EXAMPLE.COM keytab_path=foo.keytab krb5conf_path=/etc/krb5.conf

We’re getting

Error authenticating: Error making API request.

Code: 500. Errors:

* unable to get user binddn: LDAP search for binddn 0 or not unique

We can see in the logs that the SPNEGO auth has worked:

Dec 07 11:02:37 vault[416613]: 2022-12-07T11:02:37.188+0100 [INFO]  auth.kerberos.auth_kerberos_03ef0948: foo@EXAMPLE.COM - SPNEGO authentication succeeded

Is there any way we can further troubleshoot this? There’s probably something in our LDAP lookup that’s wrong, but I didn’t find it yet.

Any help is appreciated!

Kind regards,

For future readers with a similar problem: we were missing the upndomain="" option for the LDAP configuration.