Open godeater opened 1 year ago
Referencing this issue too : https://github.com/hashicorp/vault-plugin-secrets-ad/issues/84 as it seems relevant.
Just in case this helps someone else -- the "root" account must have OU level password rotation access in AD before it can rotate even its own password. This is not documented currently. I'll make a PR for the documentation to update.
Describe the bug On a newly configured Vault system, I was attempting to use the "rotate-root" API endpoint after setting up a new Active Directory secrets engine. What happened was I got an error back from Vault (see below):
I eventually figured out that this was down to me using the optional "upndomain" parameter when I was configuring the secrets engine. If I reconfigured it without that, and passed a full distinguishedName as the binddn instead of the short form you can use with upndomain, then the rotate-root endpoint works.
To Reproduce Steps to reproduce the behavior:
vault write ad/config binddn='svc-vault' bindpass=$PASSWORD url=ldaps://your.ad.server userdn='some_dn_in_your_domain' upndomain='short_name_for_ad_domain'
curl -H "X-Vault-Token: $VAULT_TOKEN" https://vault.example.com/v1/ad/rotate-root
Expected behavior I expect to see no error returned, and the binddn password rotated successfully inside vault.
Environment:
vault status
): 1.12.2vault version
): 1.12.2