Vault LDAP Login - Operation Failed -- Please help

vault write auth/ldap/config url=“ldap://” userdn=“ou=users,ou=system,dc=myorg,dc=com” binddn=“uid=admin,ou=system,dc=myorg,dc=com” bindpass=“secret” userattr=“uid” insecure_tls=true starttls=false

[mftadmin@boraa01v amf]$ vault login -method=ldap username=madhu
Password (will be hidden):
Error authenticating: Error making API request.

URL: PUT http://hostname:8200/v1/auth/ldap/login/user1
Code: 400. Errors:

  • ldap operation failed

Hi! What are you using for LDAP? Is it Active Directory (AD)? If so, I have been testing with AD today and may be able to help. It might be worthwhile to test and make sure the userdn and binddn are getting the hits you want. For the binddn, you’re expecting it to only have one hit. For the userdn, many including the user named “madhu”. You can check if that’s happening by doing ldap searches like this:

ldapsearch -H ldap:// -x -W -D "" -b "ou=users,ou=system,dc=myorg,dc=com"
ldapsearch -H ldap:// -x -W -D "" -b "uid=admin,ou=system,dc=myorg,dc=com"

You’d replace with the service account you’re trying to target with your binddn. I’m particularly suspicious of the binddn because I’m unsure of whether it targets only one user, and I believe it needs to be one.

Also at trace level, you get better LDAP diagnostics (what Vault is looking for, etc.)

Did you find a solution to this?
I find that users who have special characters in their passwords encounter the same error. ldap operation failed

Users without special characters are able to login without a problem. All users are able to login with curl and the gui.

curl -d '{"password":"correct-horse-battery-staple"}'

1 Like

Sounds like a Linux quoting issue…

How special are those characters? I would question how these passwords were set in the first place. Maybe the special characters we lost while setting the password…

This (autogenerated) password works just fine:


With this command on my machine (hostname edited):

curl -d '{"password":"Y3C!mvM#kU&wGcAwJcxT%("}'

Creates this request (intercepted with Burp proxy, pretty printed)


+Bonus points for the XKDC quote :wink: