Vault web UI always says 403 permission denied on LDAP users


i’ve setup vault with ldap, and with cli it works:

on client

~$ vault login -method=ldap username=yaroslav.n
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIFYuIEi3cWqwwNoRBbDdy9CNZE714KkLKpMP4Trpb9_kGh4KHGh2cy4wS1hZd3RkR05aUTFvVGVlV1AzdWNPQ1g
token_accessor         X4i1zEaWyso9zwniCoXCyGAE
token_duration         8h
token_renewable        true
token_policies         ["vault-admins"]
identity_policies      ["vault-admins"]
policies               ["vault-admins"]
token_meta_username    yaroslav.n

~$ vault read  auth/ldap/config
Key                             Value
---                             -----
anonymous_group_search          false
binddn                          vault-bind@subdomain.domain.local
case_sensitive_names            false
certificate                     n/a
connection_timeout              0
deny_null_bind                  true
discoverdn                      true
groupattr                       memberOf
groupdn                         (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
groupfilter                     (&(objectClass=group)(member={{.UserDN}}))
insecure_tls                    true
max_page_size                   0
request_timeout                 0
starttls                        false
tls_max_version                 tls12
tls_min_version                 tls12
token_bound_cidrs               []
token_explicit_max_ttl          0s
token_max_ttl                   8h
token_no_default_policy         true
token_num_uses                  2
token_period                    0s
token_policies                  []
token_ttl                       8h
token_type                      service
upndomain                       subdomain.domain.local
url                             ldap://
use_pre111_group_cn_behavior    false
use_token_groups                true
userattr                        samaccountname
userdn                          CN=Users,DC=subdomain,DC=domain,DC=local
userfilter                      n/a
username_as_alias               true

~$ vault kv list test

but in web ui i see:

vault: 1.13.2

why it may happen?
If i understand correct, if there were some issues with reverse proxy - so root token and userpass auth should also fail… but root token and userpass works fine in web.

please, point the way to find the issue…

aaaa, there was token_num_uses with extremely low value of 2.

in UI there are much much more requests, so it should be bigger enough.
or 0.

Yes, token_num_uses is not suitable when using the UI.

Also this setting is a problem:

The default policy is default for a reason, and includes several basic permissions relevant to using the UI.

Although the token_no_default_policy setting exists to provide the flexibility to leave it out if really needed, it’s very rarely the right thing to do - especially for human users who may want to use the UI.