missing entity alias attribute value with

[trutled3]

Describe the bug
A clear and concise description of what the bug is.

After upgrading Vault to v1.16.0 from v1.15.1 we are seeing an error when signing in through the ldap auth method stating, Authentication failed: missing entity alias attribute value. I am using active directory.

To Reproduce
Steps to reproduce the behavior:

1. Enable ldap auth method with config similar to:

  url="<REDACTED>" \
  userattr="sAMAccountName" \
  userdn="<REDACTED>" \
  binddn="<REDACTED>" \
  bindpass="<REDACTED>" \
  groupdn="<REDACTED>" \
  certificate=@ldap_cert.pem \
  insecure_tls=true \
  case_sensitive_names=false \
  starttls=true

2. Attempt to sign in to Vault with ldap auth method.

Expected behavior
Expected behavior is for ldap auth method behavior to remain the same between v1.15.1 and v1.16.0 with no changes to ldap auth method configuration.

Environment:

• Vault Server Version (retrieve with vault status): 1.16.0
• Vault CLI Version (retrieve with vault version): N/A
• Server Operating System/Architecture: Ubuntu

Vault server configuration file(s):

  url="<REDACTED>" \
  userattr="sAMAccountName" \
  userdn="<REDACTED>" \
  binddn="<REDACTED>" \
  bindpass="<REDACTED>" \
  groupdn="<REDACTED>" \
  certificate=@ldap_cert.pem \
  insecure_tls=true \
  case_sensitive_names=false \
  starttls=true

[heatherezell]

Hi @trutled3 - thanks for this report! Is this on 1.16.0 GA or one of the RCs? It'll help our investigation. Thanks much! :)

[trutled3]

Hi there!

This was v1.16.0 GA that was released today.

[heatherezell]

Hi there!

This was v1.16.0 GA that was released today.

Thank you so much! I'll pass this along. Edit: I misspoke on the state of the version.

[trutled3]

Oh, okay. Thanks!

[usernamemikem]

I have the exact same issue. Upgraded just minutes ago.

[Joffrey54]

Are you using Active Directory ? I have the same issue
I set "Username as Alias" and it resoled the issue

[trutled3]

@Joffrey54 - I am using active directory, yes! I did not include that information in my original issue post. I updated to include that information as well.

[usernamemikem]

I have the exact same issue. Upgraded just minutes ago.

@Joffrey54 - Same here, using Active Directory.

[Joffrey54]

Perhaps the bug come from the "user attribute" that is forced in lowercase:

In Windows, this attribute is "sAMAccountName"

But, as I said, this option solved the error for me:

[usernamemikem]

Thank you @Joffrey54! Checking the Username as alias box also worked for me.

[trutled3]

I can confirm checking the username as alias box resolves the error for me as well.

[fairclothjm]

Thanks everyone, we are working on a fix for this now.

The workaround mentioned above should be used with caution since the user attribute is customizable.