Vault LDAP Login - Operation Failed -- Please help

madhu72 · December 16, 2019, 8:26am

vault write auth/ldap/config url=“ldap://192.168.168.68:10389” userdn=“ou=users,ou=system,dc=myorg,dc=com” binddn=“uid=admin,ou=system,dc=myorg,dc=com” bindpass=“secret” userattr=“uid” insecure_tls=true starttls=false

[mftadmin@boraa01v amf]$ vault login -method=ldap username=madhu
Password (will be hidden):
Error authenticating: Error making API request.

URL: PUT http://hostname:8200/v1/auth/ldap/login/user1
Code: 400. Errors:

ldap operation failed

tyrannosaurus-becks · December 16, 2019, 10:55pm

Hi! What are you using for LDAP? Is it Active Directory (AD)? If so, I have been testing with AD today and may be able to help. It might be worthwhile to test and make sure the userdn and binddn are getting the hits you want. For the binddn, you’re expecting it to only have one hit. For the userdn, many including the user named “madhu”. You can check if that’s happening by doing ldap searches like this:

ldapsearch -H ldap://192.168.168.68:10389 -x -W -D "someone@example.com" -b "ou=users,ou=system,dc=myorg,dc=com"
ldapsearch -H ldap://192.168.168.68:10389 -x -W -D "someone@example.com" -b "uid=admin,ou=system,dc=myorg,dc=com"

You’d replace someone@example.com with the service account you’re trying to target with your binddn. I’m particularly suspicious of the binddn because I’m unsure of whether it targets only one user, and I believe it needs to be one.

ixe013 · December 23, 2019, 1:25am

Also at trace level, you get better LDAP diagnostics (what Vault is looking for, etc.)

spuder · July 9, 2020, 4:06am

Did you find a solution to this?
I find that users who have special characters in their passwords encounter the same error. ldap operation failed

Users without special characters are able to login without a problem. All users are able to login with curl and the gui.

curl -d '{"password":"correct-horse-battery-staple"}' https://vaut1.example.com:8200/v1/auth/ldap/login/foobar

ixe013 · February 24, 2021, 10:55pm

Sounds like a Linux quoting issue…

How special are those characters? I would question how these passwords were set in the first place. Maybe the special characters we lost while setting the password…

This (autogenerated) password works just fine:

Y3C!mvM#kU&wGcAwJcxT%(

With this command on my machine (hostname edited):

curl -d '{"password":"Y3C!mvM#kU&wGcAwJcxT%("}' https://vaut1.example.com:8200/v1/auth/ldap/login/foobar

Creates this request (intercepted with Burp proxy, pretty printed)

+Bonus points for the XKDC quote