Hi,
While troubleshooting an issue with SSH certificates I came to the realization that Vault allows LDAP group mappings to non-existent policies and will not complain (that I can see).
For example, if I have the following five policies:
❯ vault policy list
policy1
policy2
policy3
policy4
policy5
and the following five LDAP groups:
❯ vault list auth/ldap/groups
Keys
----
group1
group2
group3
group4
group5
with this mapping for group3:
❯ vault read auth/ldap/groups/group3
Key Value
--- -----
policies [policy5 policy6]
LDAP user toto which belongs to LDAP group3 will obtain a token with the following policies attached:
❯ vault token lookup
Key Value
--- -----
accessor xxxxxx
creation_time 1594039225
creation_ttl 12h
display_name ldap-toto
entity_id xxxxxx
expire_time 2020-07-06T20:40:25.038947746-04:00
explicit_max_ttl 0s
id xxxxxx
issue_time 2020-07-06T08:40:25.038963419-04:00
meta map[username:toto]
num_uses 0
orphan true
path auth/ldap/login/toto
policies [default policy5 policy6]
renewable true
ttl 5h41m50s
type service
even though policy6 does not exist.
Is this by design?
Thanks,
-Martin
(This is on Vault 1.4.1)