auth/ldap: fix login errors by fairclothjm · Pull Request #26200 · hashicorp/vault

fairclothjm · 2024-03-28T16:10:26Z

This fixes 2 ldap auth login errors

Missing entity alias attribute value
- Vault relies on case insensitive user attribute keys for mapping user attributes to entity alias metadata. This sets the appropriate configs in the cap library.
ldap group search anonymous bind regression
- Anonymous group searches can be rejected by some LDAP servers if they contain a userDN. This sets the configs in the cap library to specify unauthenticated binds for anonymous group searches should exclude a DN.

This fixes 2 ldap auth login errors * Missing entity alias attribute value * Vault relies on case insensitive user attribute keys for mapping user attributes to entity alias metadata. This sets the appropriate configs in the cap library. * ldap group search anonymous bind regression * Anonymous group searches can be rejected by some LDAP servers if they contain a userDN. This sets the configs in the cap library to specify unauthenticated binds for anonymous group searches should exclude a DN. Closes #26171 Closes #26183

github-actions · 2024-03-28T16:12:54Z

CI Results:
All required Go tests succeeded but failures were detected ⚠️
Failures:

Test Type	Package	Test	Logs
race	command/agent	TestAutoAuthSelfHealing_TokenFileAuth_SinkOutput	view test results

github-actions · 2024-03-28T16:13:11Z

Build Results:
All builds succeeded! ✅

sdk/helper/ldaputil/connection.go

changelog/26200.txt

jasonodonnell

LGTM once we figure out go.mod issues.

go.mod

* auth/ldap: fix login errors This fixes 2 ldap auth login errors * Missing entity alias attribute value * Vault relies on case insensitive user attribute keys for mapping user attributes to entity alias metadata. This sets the appropriate configs in the cap library. * ldap group search anonymous bind regression * Anonymous group searches can be rejected by some LDAP servers if they contain a userDN. This sets the configs in the cap library to specify unauthenticated binds for anonymous group searches should exclude a DN. Closes #26171 Closes #26183 * changelog * go mod tidy * go get cap/ldap@latest and go mod tidy

usernamemikem · 2024-03-29T03:39:10Z

Hi, when will the fix be available via the repo?

fairclothjm · 2024-04-04T16:52:15Z

@usernamemikem Hello, the fix is available in the 1.16.1 release https://github.com/hashicorp/vault/releases/tag/v1.16.1

usernamemikem · 2024-04-04T18:01:11Z

Thank you so much for letting me know!

hennadii2012 · 2024-04-19T18:13:08Z

Hello!
I still have an issue with Missing entity alias attribute value on version 1.16.1. What should I do to make it work?

jasonodonnell · 2024-04-19T18:59:27Z

@hennadii2012 What does your LDAP auth config look like?

hennadii2012 · 2024-04-19T19:10:17Z

Key                          Value                                                      
anonymous_group_search       false                                                      
binddn                                                                                  
case_sensitive_names         false                                                      
certificate                                                                             
connection_timeout           0                                                          
deny_null_bind               true                                                       
dereference_aliases                                                                     
discoverdn                   false                                                      
groupattr                    memberOf                                                   
groupdn                      ou=Groups,dc=example,dc=com                                   
groupfilter                  (&(uniqueMember=uid={{.Username}},ou=Users,dc=example,dc=com))
insecure_tls                 false                                                      
max_page_size                0                                                          
request_timeout              90                                                         
starttls                     false                                                      
tls_max_version              tls12                                                      
tls_min_version              tls12                                                      
token_bound_cidrs            []                                                         
token_explicit_max_ttl       0                                                          
token_max_ttl                0                                                          
token_no_default_policy      false                                                      
token_num_uses               0                                                          
token_period                 0                                                          
token_policies               []                                                         
token_ttl                    0                                                          
token_type                   default                                                    
upndomain                    example.com                                                   
url                          ldaps://ldap.example.com                                  
use_pre111_group_cn_behavior false                                                      
use_token_groups             false                                                      
userattr                     mail                                                       
userdn                       ou=Users,dc=example,dc=com                                    
userfilter                   ({{.UserAttr}}={{.Username}})                              
username_as_alias            false

P.S.
It works for version 1.15.6 without any issues

usernamemikem · 2024-04-19T20:52:11Z

The latest version fix it for me. But some of my attributes are a bit different than yours.

User Attribute = samaccountname
Group Filter = (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
Group Attribute = cn
no Group DN

I hope that helps.

hennadii2012 · 2024-04-20T07:20:17Z

My LDAP provider does not work with those params. I am using the list, that had been taken from the official documentation.
Also I do not think, that the reason is in LDAP config as it is, because:

For 1.15.6 it works
For 1.16.1 it works if username_as_alias option is true (the same as for 1.16.0)

jasonodonnell · 2024-04-21T01:18:30Z

@hennadii2012 In 1.16, Vault switched to a different LDAP package, and is likely why you're seeing a regression in behavior here. One thing that jumps out from your config is the userattr=mail. I plan on digging into this next week but I suspect that user attribute isn't being returned after cap/ldap queries LDAP.

jasonodonnell · 2024-04-21T02:15:24Z

Continuing the discussion over here: #26568

fairclothjm added this to the 1.16.1 milestone Mar 28, 2024

fairclothjm requested review from a team and jasonodonnell March 28, 2024 16:10

github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Mar 28, 2024

changelog

c8d957a

go mod tidy

599ac9c

tomcf-hcp reviewed Mar 28, 2024

View reviewed changes

sdk/helper/ldaputil/connection.go Show resolved Hide resolved

go get cap/ldap@latest and go mod tidy

fcea72c

jasonodonnell reviewed Mar 28, 2024

View reviewed changes

changelog/26200.txt Show resolved Hide resolved

jasonodonnell self-requested a review March 28, 2024 16:29

jasonodonnell approved these changes Mar 28, 2024

View reviewed changes

tomcf-hcp approved these changes Mar 28, 2024

View reviewed changes

calvn reviewed Mar 28, 2024

View reviewed changes

go.mod Show resolved Hide resolved

fairclothjm added the backport/1.16.x label Mar 28, 2024

fairclothjm merged commit 7d575bf into main Mar 28, 2024

fairclothjm deleted the VAULT-25466/ldap-auth-login branch March 28, 2024 18:45

hc-github-team-secure-vault-core mentioned this pull request Mar 28, 2024

Backport of auth/ldap: fix login errors into release/1.16.x #26205

Closed

fairclothjm mentioned this pull request Mar 28, 2024

auth/ldap: fix login errors (#26200) #26206

Merged

fairclothjm mentioned this pull request Apr 10, 2024

sdk: prepare for release #26348

Merged

Conversation

fairclothjm commented Mar 28, 2024

Uh oh!

github-actions bot commented Mar 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Mar 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jasonodonnell left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

usernamemikem commented Mar 29, 2024

Uh oh!

fairclothjm commented Apr 4, 2024

Uh oh!

usernamemikem commented Apr 4, 2024

Uh oh!

hennadii2012 commented Apr 19, 2024

Uh oh!

jasonodonnell commented Apr 19, 2024

Uh oh!

hennadii2012 commented Apr 19, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

usernamemikem commented Apr 19, 2024

Uh oh!

hennadii2012 commented Apr 20, 2024

Uh oh!

jasonodonnell commented Apr 21, 2024

Uh oh!

jasonodonnell commented Apr 21, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

github-actions bot commented Mar 28, 2024 •

edited

Loading

github-actions bot commented Mar 28, 2024 •

edited

Loading

hennadii2012 commented Apr 19, 2024 •

edited

Loading