Vault triggering spurious MFA push - Web Browser rebinding LDAP?

flounder · April 1, 2022, 3:21pm

We are using LDAP for authentication. Our LDAP is set up with an MFA proxy w/ push. We notice we get a lot of denied pushes marked as fraudulent by users that are originating from Vault. The behavior is as follows: user logs into Vault in their web browser; 10-15 minutes later they click another link on the site; the site loads without prompting them to login again, but they get a push on their phone. Even if they deny the push their browser session with Vault is not interrupted until it fully times out hours later.

So, it seems the browser is rebinding to LDAP. Is there a way we can change our Vault config so this doesn’t happen?

maxb · April 1, 2022, 7:00pm

I had no idea Vault did this until your question inspired me to have a look at the source code… but it seems that the Vault LDAP auth method internally remembers the user’s password, and repeats the LDAP bind operation to check the account is still valid, and whether the user has gained or lost group memberships, each time the Vault token is renewed.

And, the Vault web UI periodically renews the token it is using.

Unfortunately I’m not aware of any way to turn this behaviour off.

Topic		Replies	Views
Authentication failed: ldap operation failed: failed to bind as user Vault	0	360	April 26, 2023
Facing ldap authentication issue Vault vault	1	1141	March 15, 2021
Upgrading Vault Wipes LDAP Settings? Vault vault	3	379	August 12, 2021
Vault web UI always says 403 permission denied on LDAP users Vault	2	1388	May 30, 2023
LDAP login not writing token to file Vault	1	288	November 2, 2022

Vault triggering spurious MFA push - Web Browser rebinding LDAP?

Related topics