Vault: ldap userPrincipalName search all wrong

Created on 10 Mar 2017 · 3Comments · Source: hashicorp/vault

Vault 0.6.5

I created an ldap auth backend, with the following data:

Key             Value
---             -----
binddn          cn=vault,ou=services,dc=example,dc=com
bindpass        password1234
certificate
deny_null_bind  true
discoverdn      false
groupattr       cn
groupdn         ou=groups,dc=example,dc=com
groupfilter     (&(objectClass=group)(member:1.2.840.113556.1.5.1951:={{.UserDN}}))
insecure_tls    true
starttls        false
tls_max_version tls12
tls_min_version tls12
upndomain       corp.example.com
url             ldap://dc1.example.com
userattr        samaccountname
userdn          ou=users,dc=example,dc=com

When trying to auth against this, I received:

* user is not a member of any authorized group; additionally, no LDAP groups found in groupDN

But tcpdumping ldap, I find the following search takes place (after the successful bind):

search
baseObject: ou=users,dc=example,dc=com
scope: wholeSubtree
Filter: (userPrincipalName=CN=Test User,OU=users,DC=example,DC=com)

The userPrincipalName filter which has been generated is wrong, as the docs clearly say and refer to what a UPN is, the userPrincipalName should be in the format [email protected] - because the upndomain is corp.example.com.

It seems that this query is being created incorrectly? Or do I have an invalid setup?

Thanks

Source

gtmtech

Most helpful comment

In the above, I made the mistake of using both upndomain and userattr/userdn which the docs say you should use one or the other. When I removed upndomain it worked. Still a bit weird behaviour though, perhaps the engine should say "youve defined 2 mutually exclusive options, not accepting the config"

gtmtech on 10 Mar 2017

👍4

All 3 comments

gtmtech on 10 Mar 2017

👍4

@gtmtech In current Vault if you specify both it will use the binddn/bindpass for binding, but then should use the upndomain for the actual user search.

If you're still having trouble please let us know!