Update to 1.16.x - Authentication failed: ldap.(Client).Authenticate: failed to get user attributes: ldap.(Client).getUserAttributes: missing user dn: invalid parameter

[makrelas]

Describe the bug After updating vault to 1.16.x (0,1,2,3) LDAP (AD) vault authentication fails in UI and CLI with error message "Authentication failed: ldap.(Client).Authenticate: failed to get user attributes: ldap.(Client).getUserAttributes: missing user dn: invalid parameter"

Bind operation works normally. Logs of that failed query are not being produced on any level of debug.

To Reproduce Steps to reproduce the behaviour:

1. run vault login method ldap

   vault login -no-print -method=ldap username=REDACTED
   Password (will be hidden):

2. See error

   
   Error authenticating: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/auth/ldap/login/REDACTED Code: 400. Errors:

• ldap.(Client).Authenticate: failed to get user attributes: ldap.(Client).getUserAttributes: missing user dn: invalid parameter

Expected behavior User is authenticated

Environment:

• Vault Server Version (retrieve with vault status): 1.16.3
• Vault CLI Version (retrieve with vault version): 1.16.3
• Server Operating System/Architecture: hashicorp/vault docker image

Vault server configuration file(s): vault read auth/ldap/config

Key                             Value
---                             -----
anonymous_group_search          false
binddn                          n/a
case_sensitive_names            false
certificate                     (redacted)
connection_timeout              0
deny_null_bind                  true
dereference_aliases             never
discoverdn                      false
groupattr                       cn
groupdn                         OU=Permissions,OU=Shared,OU=red,OU=red,OU=red,DC=red,DC=com
groupfilter                     (&(objectClass=group)(|(cn=red)(cn=red*)))
insecure_tls                    false
max_page_size                   0
password_policy                 n/a
request_timeout                 90
starttls                        false
tls_max_version                 tls12
tls_min_version                 tls12
token_bound_cidrs               []
token_explicit_max_ttl          0s
token_max_ttl                   0s
token_no_default_policy         false
token_num_uses                  0
token_period                    0s
token_policies                  []
token_ttl                       0s
token_type                      default
upndomain                       redacted.com
url                             ldaps://redacted.com
use_pre111_group_cn_behavior    false
use_token_groups                true
userattr                        samaccountname
userdn                          OU=Users,OU=redacted,DC=redacted,DC=com
userfilter                      {{.UserAttr}}={{.Username}}
username_as_alias               false

Additional context

• userfilter changes does not seem to impact anyhow the user search query made (it's always upn)

• username_as_alias change suggested in other similar issues did not change anything

• Setting userattr="userprincipalname" as upgrade documentation suggests does not change anything

• Observing bind/search process as tcpdump using unencrypted ldap, bind succeeds both on 1.15.x and 1.16.x Operation that yields different results is following LDAP search. Strange thing is - request appears to be the same on both versions, yet response is different.

On 1.15.6 - working

Lightweight Directory Access Protocol
    LDAPMessage searchRequest(2) "OU=Users,OU=redacted,DC=redacted,DC=com" wholeSubtree
        messageID: 2
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: OU=Users,OU=redacted,DC=redacted,DC=com
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 2147483647
                timeLimit: 0
                typesOnly: False
                Filter: (userPrincipalName=REDACTED_USER@redacteddomain.com)
                    filter: equalityMatch (3)
                        equalityMatch
                            attributeDesc: userPrincipalName
                            assertionValue: REDACTED_USER@redacteddomain.com
                attributes: 0 items
        [Response In: 8]

Lightweight Directory Access Protocol
    LDAPMessage searchResDone(2) success [114 results]
        messageID: 2
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: success (0)
                matchedDN: 
                errorMessage: 
        [Response To: 7]

On 1.16.3 0 - not working

Lightweight Directory Access Protocol
    LDAPMessage searchRequest(2) "OU=Users,OU=redacted,DC=redacted,DC=com" wholeSubtree
        messageID: 2
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: OU=Users,OU=redacted,DC=redacted,DC=com
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 2147483647
                timeLimit: 0
                typesOnly: False
                Filter: (userPrincipalName=REDACTED_USER@redacteddomain.com)
                    filter: equalityMatch (3)
                        equalityMatch
                            attributeDesc: userPrincipalName
                            assertionValue: REDACTED_USER@redacteddomain.com
                attributes: 0 items
        [Response In: 30]

Lightweight Directory Access Protocol
    LDAPMessage searchResDone(2) success [0 results]
        messageID: 2
        protocolOp: searchResDone (5)
            searchResDone
        [Response To: 29]
        [Time: 0.000494000 seconds]

[l00d3r]

Altohugh I don't know where the exact issue lies, I have worked around this by removing upndomain, configuring binddn, bindpass and setting discoverdn to true.

Hope this helps in finding the root cause of this issue.