search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.27k stars 4.23k forks source link

auth.ldap disappeared in vault logs #28205

Open Slm0n87 opened 2 months ago

Slm0n87 commented 2 months ago

Describe the bug In May 2023 I debugged an issue for the login of an user with ldap authentication. With the enabling of the vault debug log I got the following lines in the vault logs:

May 17 10:34:15 vault-server01 vault[402703]: 2023-05-17T10:34:15.331Z [DEBUG] auth.ldap.auth_ldap_0f21e7f8: user binddn fetched: username=xxxxxxxxx binddn="cn=xxxxxxxxx,ou=usr,o=employee"
May 17 10:34:18 vault-server01 vault[402703]: 2023-05-17T10:34:18.350Z [DEBUG] auth.ldap.auth_ldap_0f21e7f8: ldap bind failed: error="LDAP Result Code 49 \"Invalid Credentials\": NDS error: failed authentication (-669)"

Today I tried to repeat the same thing and I also see debug - log output, but even if I login via ldap by myself there is no logline regards auth.ldap anymore.

To Reproduce Steps to reproduce the behavior:

  1. Have a setup with working ldap authentication
  2. Enable debug logging by adding log_level = "Debug" to /etc/vault.d/vault.hcl
  3. Restart & unseal vault
  4. Try to login via ldap - for example with a wrong password
  5. There are no debug loglines for auth.ldap anymore

Expected behavior Debug logs should show logs for auth.ldap

Environment:

Vault server configuration file(s):


storage "raft" {
  path    = "/space/raft-storage/vault-server01"
  node_id = "vault-server01"
}

listener "tcp" {
  address = "[::]:8200"
  cluster_address = "[xxxxxxxxx]:8201"
  xxxxxxxxx
  xxxxxxxxx
  x_forwarded_for_authorized_addrs = "::1"
  x_forwarded_for_reject_not_present = "false"
}

cluster_addr = "http://[xxxxxxxx]:8201"
api_addr = "https://xxxxxxx:8200"
cluster_name = "vault"
telemetry {
  statsd_address = "127.0.0.1:8125"
  disable_hostname = true
  usage_gauge_period = "5m"
}
raw_storage_endpoint = "true"
ui = "true"

user_lockout "approle" {
 disable_lockout = "true"
}
log_level = "Debug"
biazmoreira commented 2 months ago

@Slm0n87, what was the vault version you could see debug lines and the vault version you are running right now?

paulothread commented 3 weeks ago

This issue relates to: #28467