Vault Version Upgrade - Policies not assigned anymore since 1.12.6

Hello everyone

We are currently using Vault 1.12.3 in multiple environments. For authentication, we use LDAP and Kerberos (Windows environments).

Yesterday, we wanted to update our Vault Version to the newest one. After downloading the binary 1.13.2, replacing it and restarting the service, we don’t have access to our secrets anymore. To be a little more specific: We can still login successfully, but have only the default policy assigned (according to audit log). LDAP and Kerberos are both affected.

Of course I checked the policies and linked groups, but everything seems fine.

Are there some known issues? I have tested the upgrade with multiple versions. Upgrading to Version 1.12.4 or 1.12.5 works fine. This confirms my assumption that it is not our configuration, but the version.

Many thanks for your help.

There is a known regression in 1.13.0,1,2 re upgrading LDAP auth configurations from earlier versions.

Until a fix is released, it is necessary to reconfigure LDAP auth methods after upgrading, to specify a valid max_page_size: LDAP - Auth Methods - HTTP API | Vault | HashiCorp Developer

Currently it’s ending up set at zero which breaks the LDAP protocol when querying groups.

Set to -1 to safely disable the new feature, or to a page size such as 1000 to make paged queries to LDAP servers which might otherwise refuse to answer if a user was in more groups than a configured system limit.

Thank you for the quick answer!

I quickly tested your solution (setting max page size to -1) and can confirm that its working again.

As you wrote that a fix is in the pipeline, we will wait with upgrading Vault due to the large amount of environments we have.