While troubleshooting an issue with SSH certificates I came to the realization that Vault allows LDAP group mappings to non-existent policies and will not complain (that I can see).
For example, if I have the following five policies:
❯ vault policy list policy1 policy2 policy3 policy4 policy5
and the following five LDAP groups:
❯ vault list auth/ldap/groups Keys ---- group1 group2 group3 group4 group5
with this mapping for group3:
❯ vault read auth/ldap/groups/group3 Key Value --- ----- policies [policy5 policy6]
LDAP user toto which belongs to LDAP group3 will obtain a token with the following policies attached:
❯ vault token lookup Key Value --- ----- accessor xxxxxx creation_time 1594039225 creation_ttl 12h display_name ldap-toto entity_id xxxxxx expire_time 2020-07-06T20:40:25.038947746-04:00 explicit_max_ttl 0s id xxxxxx issue_time 2020-07-06T08:40:25.038963419-04:00 meta map[username:toto] num_uses 0 orphan true path auth/ldap/login/toto policies [default policy5 policy6] renewable true ttl 5h41m50s type service
even though policy6 does not exist.
Is this by design?
(This is on Vault 1.4.1)