Vault LDAP Login - Operation Failed -- Please help

vault write auth/ldap/config url=“ldap://192.168.168.68:10389” userdn=“ou=users,ou=system,dc=myorg,dc=com” binddn=“uid=admin,ou=system,dc=myorg,dc=com” bindpass=“secret” userattr=“uid” insecure_tls=true starttls=false

[mftadmin@boraa01v amf]$ vault login -method=ldap username=madhu
Password (will be hidden):
Error authenticating: Error making API request.

URL: PUT http://hostname:8200/v1/auth/ldap/login/user1
Code: 400. Errors:

  • ldap operation failed

Hi! What are you using for LDAP? Is it Active Directory (AD)? If so, I have been testing with AD today and may be able to help. It might be worthwhile to test and make sure the userdn and binddn are getting the hits you want. For the binddn, you’re expecting it to only have one hit. For the userdn, many including the user named “madhu”. You can check if that’s happening by doing ldap searches like this:

ldapsearch -H ldap://192.168.168.68:10389 -x -W -D "someone@example.com" -b "ou=users,ou=system,dc=myorg,dc=com"
ldapsearch -H ldap://192.168.168.68:10389 -x -W -D "someone@example.com" -b "uid=admin,ou=system,dc=myorg,dc=com"

You’d replace someone@example.com with the service account you’re trying to target with your binddn. I’m particularly suspicious of the binddn because I’m unsure of whether it targets only one user, and I believe it needs to be one.

Also at trace level, you get better LDAP diagnostics (what Vault is looking for, etc.)