/ad/rotate-root API endpoint doesn't work if the ad engine was configured with "upndomain"

[godeater]

Describe the bug On a newly configured Vault system, I was attempting to use the "rotate-root" API endpoint after setting up a new Active Directory secrets engine. What happened was I got an error back from Vault (see below):

curl -H "X-Vault-Token: $VAULT_TOKEN" https://vault.example.com/v1/ad/rotate-root
{"errors":["1 error occurred:\n\t* LDAP Result Code 34 \"Invalid DN Syntax\": 0000208F: NameErr: DSID-03100232, problem 2006 (BAD_NAME), data 8350, best match of:\n\t'svc-vault'\n\u0000\n\n"]}

I eventually figured out that this was down to me using the optional "upndomain" parameter when I was configuring the secrets engine. If I reconfigured it without that, and passed a full distinguishedName as the binddn instead of the short form you can use with upndomain, then the rotate-root endpoint works.

To Reproduce Steps to reproduce the behavior:

1. Run vault write ad/config binddn='svc-vault' bindpass=$PASSWORD url=ldaps://your.ad.server userdn='some_dn_in_your_domain' upndomain='short_name_for_ad_domain'
2. Run curl -H "X-Vault-Token: $VAULT_TOKEN" https://vault.example.com/v1/ad/rotate-root
3. See error

Expected behavior I expect to see no error returned, and the binddn password rotated successfully inside vault.

Environment:

• Vault Server Version (retrieve with vault status): 1.12.2
• Vault CLI Version (retrieve with vault version): 1.12.2
• Server Operating System/Architecture: Linux/amd64

[godeater]

Referencing this issue too : https://github.com/hashicorp/vault-plugin-secrets-ad/issues/84 as it seems relevant.

[aram535]

Just in case this helps someone else -- the "root" account must have OU level password rotation access in AD before it can rotate even its own password. This is not documented currently. I'll make a PR for the documentation to update.