Hi Team,
Post upgrade of HashiCorp Vault from 1.18.1 to 1.20.4 in Test and Production, we observed critical issues:
• LDAP authentication failure (DevLAN users unable to login)
• TLS handshake failure with internal LDAPS server
• Production unseal failure with 3rd key
Rollback to 1.18.1 restored normal functionality.
TROUBLESHOOTING TIMELINE 1. Verified that the DevLAN LDAP auth method is mounted at the expected path (auth/DevLAN/). 2. Applied LDAP configuration including server URL, bind DN, bind password, user DN, group DN, user attribute, and group filter. 3. Confirmed that the configuration writes successfully and can be read back without errors. 4. Created a Vault identity group (portal-dev-xl-deploy) and assigned the required policy (admin-policy). 5. Created a group-alias linking the LDAP group to the Vault identity group using the correct mount accessor. 6. Verified that the alias and identity group are present and correctly configured. 7. Confirmed that the bind password is correct and the LDAP server is reachable.
we have lost all DevLAN accounts inside the vault.
we have below configuration
#curl --header “X-Vault-Token: xxxxxxxxxxxxxxxxxxxxx” https://dot-test.de.pri.o2.com/v1/auth/DevLAN/config | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 927 100 927 0 0 6783 0 --:–:-- --:–:-- --:–:-- 6816
{
“request_id”: “”,
“lease_id”: “”,
“renewable”: false,
“lease_duration”: 0,
“data”: {
“anonymous_group_search”: false,
“binddn”: “cn=nymous ano,ou=people,dc=o2sg,dc=de”,
“case_sensitive_names”: false,
“certificate”: “”,
“deny_null_bind”: true,
“discoverdn”: false,
“groupattr”: “member”,
“groupdn”: “cn=portal-dev-xl-deploy,ou=groups,ou=alm,dc=o2sg,dc=de”,
“groupfilter”: “(objectclass=gosaGroupOfNames)”,
“insecure_tls”: true,
“starttls”: false,
“tls_max_version”: “tls12”,
“tls_min_version”: “tls12”,
“token_bound_cidrs”: [],
“token_explicit_max_ttl”: 0,
“token_max_ttl”: 0,
“token_no_default_policy”: false,
“token_num_uses”: 0,
“token_period”: 0,
“token_policies”: [],
“token_ttl”: 0,
“token_type”: “default”,
“upndomain”: “”,
“url”: “ldaps://mucsgldap03.sg.de.pri.o2.com:636”,
“use_pre111_group_cn_behavior”: false,
“use_token_groups”: false,
“userattr”: “prefixuid”,
“userdn”: “ou=people,dc=o2sg,dc=de”
},
“wrap_info”: null,
“warnings”: null,
“auth”: null
}
we required your support to solve the issue.
Thank you!
