Hello, I have a vault version 1.10.0 deployed with the backend storage in Consul. I have successfully deployed and initialized the cluster with 2 nodes. Now, I am trying to set up LDAP integration with our On-Prem Active Directory. I have successfully setup the LDAP integration with our on-prem Jira and Zulip using the same parameters but vault is not able to work with those parameters. ldapsearch utility also returns the correct user using these parameters.
this is the LDAP config fed to vault:
Key Value
--- -----
anonymous_group_search false
binddn CN=MSI Vault,OU=Service Accounts,OU=Special Users,DC=domain,DC=local
case_sensitive_names false
certificate n/a
deny_null_bind true
discoverdn false
groupattr cn
groupdn OU=Groups,OU=Special Users,DC=domain,DC=local
groupfilter n/a
insecure_tls false
request_timeout 90
starttls false
tls_max_version tls12
tls_min_version tls12
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
upndomain domain.local
url ldap://10.211.1.49
use_pre111_group_cn_behavior false
use_token_groups false
userattr samaccountname
userdn OU=Users,OU=Special Users,DC=domain,DC=local
userfilter (&(objectCategory=Person)({{.UserAttr}}={{.Username}})(memberOf=cn=Group_Vault,ou=Groups,ou=Special Users,dc=domain,dc=local))
username_as_alias false
This is the error that I get:
Error code:
May 18 20:47:03 msi-vault-s1 vault[144616]: 2022-05-18T20:47:03.891Z [DEBUG] auth.ldap.auth_ldap_2bcade38: compiling search filter: search_filter="(&(objectCategory=Person)({{.UserAttr}}={{.Username}})(memberOf=cn=Group_Vault,ou=Groups,ou=Special Users,dc=domain,dc=local))"
May 18 20:47:03 msi-vault-s1 vault[144616]: 2022-05-18T20:47:03.891Z [DEBUG] auth.ldap.auth_ldap_2bcade38: discovering user: userdn="OU=Users,OU=Special Users,DC=domain,DC=local" filter="(&(objectCategory=Person)(userPrincipalName=jeet@domain.local)(memberOf=cn=Group_Vault,ou=Groups,ou=Special Users,dc=domain,dc=local))"
May 18 20:47:03 msi-vault-s1 vault[144616]: 2022-05-18T20:47:03.892Z [DEBUG] auth.ldap.auth_ldap_2bcade38: user binddn fetched: username=jeet binddn="CN=Jeet,OU=Users,OU=Special Users,DC=domain,DC=local"
May 18 20:47:03 msi-vault-s1 vault[144616]: 2022-05-18T20:47:03.893Z [DEBUG] auth.ldap.auth_ldap_2bcade38: ldap bind failed: error="LDAP Result Code 49 \"Invalid Credentials\": 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52f, v4563\x00"
Below is the representation of our directory:
domain.local
| - Special Users (OU)
| - Users (OU - Where all users are located)
| | - Jeet (User)
| - Groups
| - Group_Vault (Group of users who should have access to Vault - Jeet is a member)
Online forums have said the password is wrong but I have rechecked the password and it works for other services. I have tried enabling and disabling the UPN option as well.