Vault ldap auth: unable to retrieve user bind DN

[Jeka-Dem]

Describe the bug LDAP auth can't find user outstand OU=Vault,OU=Domain_Services,DC=test,DC=loc location

To Reproduce Steps to reproduce the behavior:

1. Run TLS HA Vault + Raft from helm chart vault-0.6.0

   kubectl -n vault get pod
   NAME      READY   STATUS    RESTARTS   AGE
   vault-0   1/1     Running   0          25h
   vault-1   1/1     Running   0          25h
   vault-2   1/1     Running   0          25h

   kubectl -n vault get statefulsets.apps 
   NAME    READY   AGE
   vault   3/3     28h

2. Enable ldap auth

   vault auth enable ldap

3. Set up ldap connection

   vault write auth/ldap/config \
   url="ldaps://ldap.test.loc:636" \
   certificate=@ldaps.pem \
   insecure_tls=false \
   starttls=true \
   binddn="CN=vault.ad.access,OU=Vault,OU=Domain_Services,DC=test,DC=loc" \
   bindpass='**************' \
   upndomain="test.loc" \
   userattr=sAMAccountName \
   userdn="DC=test,DC=loc" \
   groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
   groupdn="DC=test,DC=loc" \
   groupattr="cn"

4. Check ldap config

   vault read auth/ldap/config --format=json
   {
   "request_id": "8332188c-d634-77ae-d5d9-e22c814e87a7",
   "lease_id": "",
   "lease_duration": 0,
   "renewable": false,
   "data": {
   "anonymous_group_search": false,
   "binddn": "CN=vault.ad.access,OU=Vault,OU=Domain_Services,DC=test,DC=loc",
   "case_sensitive_names": false,
   "certificate": "-----BEGIN CERTIFICATE-----\n*****\n-----END CERTIFICATE-----",
   "deny_null_bind": true,
   "discoverdn": false,
   "groupattr": "cn",
   "groupdn": "DC=test,DC=loc",
   "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
   "insecure_tls": false,
   "starttls": true,
   "tls_max_version": "tls12",
   "tls_min_version": "tls10",
   "token_bound_cidrs": [],
   "token_explicit_max_ttl": 0,
   "token_max_ttl": 0,
   "token_no_default_policy": false,
   "token_num_uses": 0,
   "token_period": 0,
   "token_policies": [],
   "token_ttl": 0,
   "token_type": "default",
   "upndomain": "test.loc",
   "url": "ldaps://ldap.test.loc:636",
   "use_pre111_group_cn_behavior": true,
   "use_token_groups": false,
   "userattr": "samaccountname",
   "userdn": "DC=test,DC=loc"
   },
   "warnings": null
   }

5. Create test user

   ldapsearch -x -LLL -h ldap.test.loc \
   -D "CN=vault.ad.access,OU=Vault,OU=Domain_Services,DC=test,DC=loc" -w "*******" \
   -b "dc=test,dc=loc" "(sAMAccountName=vault)" dn memberOf sAMAccountName
   dn: CN=vault,OU=Vault,OU=Domain_Services,DC=test,DC=loc
   memberOf: CN=Vault.Admins,OU=Vault,OU=Domain_Services,DC=test,DC=loc
   sAMAccountName: vault

6. Create mapping for ldap group to policy

   vault write auth/ldap/groups/Vault.Admins policies=vault-admin

   vault read auth/ldap/groups/vault.admins
   Key         Value
   ---         -----
   policies    [vault-admin]

7. Try to connect with test user

   
   $ vault login -method=ldap username=vault
   Password (will be hidden): 
   WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
   over the value set by this command. To use the value set by this command,
   unset the VAULT_TOKEN environment variable or set it to the token displayed
   below.

Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.

Key Value

---

token s.duKYuWYyhUpb2J31WWvr7jIo token_accessor lI3f9dstd9B7VFqprUAuWruV token_duration 768h token_renewable true token_policies ["default" "vault-admin"] identity_policies [] policies ["default" "vault-admin"] token_meta_username vault

8. Try to connect with existing client user
```bash
vault login -method=ldap username=client
Password (will be hidden): 
Error authenticating: Error making API request.

URL: PUT https://vault.ingress.infra.kuber.int/v1/auth/ldap/login/client
Code: 400. Errors:

* ldap operation failed: unable to retrieve user bind DN

ldapsearch -x -LLL -h ldap.test.loc \     
    -D "CN=vault.ad.access,OU=Vault,OU=Domain_Services,DC=test,DC=loc" -w "******" \
    -b "dc=test,dc=loc" "(sAMAccountName=client)" dn memberOf sAMAccountName
dn:: Q049RGVtaWFuZW5rbyBZZXZoZW4sT1U9RGV2T1BTIFRlYW0sT1U9T3BlcmF0aW9uIFRlYW0sT
 1U9SVQgRGVwYXJ0bWVudCxPVT3QptC10L3RgtGA0LDQu9GM0L3Ri9C5INC+0YTQuNGBLE9VPURvbW
 Fpbl9Vc2VycyxEQz1iZXQsREM9bG9j
memberOf: CN=Vault.Admins,OU=Vault,OU=Domain_Services,DC=test,DC=loc
sAMAccountName: client

Expected behavior Success login and apply mapped group vault-admin

Environment:

• Vault Server Version (retrieve with vault status): 1.4.2
• Vault CLI Version (retrieve with vault version): v1.4.3
• Server Operating System/Architecture: Kubernetes

Vault server configuration file(s):

disable_mlock = true
ui = true

api_addr = "https://POD_IP:8200"
cluster_addr = "https://POD_IP:8201"
listener "tcp" {
  address          = "0.0.0.0:8200"
  cluster_address  = "0.0.0.0:8201"

  http_idle_timeout         = "5m"
  http_read_header_timeout  = "10s"
  http_read_timeout         = "30s"
  http_write_timeout        = "0"
  max_request_size          = 33554432
  max_request_duration      = "90s"
  tls_disable        = "false"
  tls_cert_file      = "/vault/certs/vault-server-tls/tls.crt"
  tls_key_file       = "/vault/certs/vault-server-tls/tls.key"
  tls_client_ca_file = "/vault/certs/vault-server-tls/tls-ca.crt"
  tls_min_version    = "tls12"
}
storage "raft" {
  path = "/vault/data"
}

service_registration "kubernetes" {}

Additional context Member list of Vault.Admins

ldapsearch -x -LLL -H ldaps://ldap.test.loc  -w "****" \
    -D "CN=vault.ad.access,OU=Vault,OU=Domain_Services,DC=test,DC=loc" \
    -b "DC=test,DC=loc" \
    "(&(objectCategory=person)(memberOf=CN=Vault.Admins,OU=Vault,OU=Domain_Services,DC=test,DC=loc))"  \
    dn memberOf sAMAccountName
dn:: Q049RGVtaWFuZW5rbyBZZXZoZW4sT1U9RGV2T1BTIFRlYW0sT1U9T3BlcmF0aW9uIFRlYW0sT
 1U9SVQgRGVwYXJ0bWVudCxPVT3QptC10L3RgtGA0LDQu9GM0L3Ri9C5INC+0YTQuNGBLE9VPURvbW
 Fpbl9Vc2VycyxEQz1iZXQsREM9bG9j
memberOf: CN=Vault.Admins,OU=Vault,OU=Domain_Services,DC=test,DC=loc
sAMAccountName: y.demianenko

dn: CN=vault,OU=Vault,OU=Domain_Services,DC=test,DC=loc
memberOf: CN=Vault.Admins,OU=Vault,OU=Domain_Services,DC=test,DC=loc
sAMAccountName: vault

[what-the-crypto]

I had the same error with Vault v1.4.3 using a 3 node raft storage back-end. I was authenticating users based on their samaccount username. It appears that there is a workaround to this issue by leaving upndomain blank and setting groupfilter to: (&(objectClass=user)(samAccountName={{.Username}})) I can confirm that this solved the Error of Authentication failed: ldap operation failed: unable to retrieve user bind DN for me. See this other related issue: https://github.com/hashicorp/vault/issues/6325

[surakshith-suvarna]

I had the same error with vault v 1.11.0. Even I was authenticating users based on their samAccountName. Thanks, @what-the-crypto , your solution to change the group filter to: groupfilter="(&(objectClass=user)(samAccountName={{.Username}}))" did the trick. The vault was able to Bind DN and authenticate.