Vault 27421 update cap/ldap dep

[helenfufu]

Description

This PR updates the github.com/hashicorp/cap/ldap dependency to the latest commit, currently hashicorp/cap@9047b8b, to address a low-severity security gap related to LDAP user search with upndomain. For more details, see the related cap PR: hashicorp/cap#151.

Since this introduces a potential breaking change, it should not be backported to earlier Vault versions.

Ticket: VAULT-27421

TODO only if you're a HashiCorp employee

• Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
  • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
• ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
  of a public function, even if that change is in a CE file, double check that
  applying the patch for this PR to the ENT repo and running tests doesn't
  break any tests. Sometimes ENT only tests rely on public functions in CE
  files.
• Jira: If this change has an associated Jira, it's referenced either
  in the PR description, commit message, or branch name.
• RFC: If this change has an associated RFC, please link it in the description.
• ENT PR: If this change has an associated ENT PR, please link it in the
  description. Also, make sure the changelog is in this PR, not in your ENT PR.

[github-actions]

CI Results:
All Go tests succeeded! ✅

[github-actions]

Build Results:
All builds succeeded! ✅

[fairclothjm]

Thanks! Can we also update cap/ldap in the sdk's go.mod?

vault/sdk/go.mod

Line 18 in e153846

github.com/hashicorp/cap/ldap v0.0.0-20240328153749-fcfe271d0227

[helenfufu]

Would appreciate guidance here:

1. Is it alright to link the exact commit, or would it be preferred to mention something along the lines of "latest commit on main"?
2. Does this level of detail about the security improvement need to be documented in the changelog in addition to the upgrade guide? Wasn't sure if it was redundant to have it here as well.

[fairclothjm]

I think for the changelog, we should not reference cap/ldap but instead auth/ldap and any anywhere else this may have effect. I think that is the only one though. We want changelogs to describe the effect on the Vault user. So in this case, something like (I believe the effect is on login?):

release-note:change
auth/ldap: An error will now be returned on login if the number of entries returned from the user DN LDAP search is more than one.

[helenfufu]

I see, thanks for explaining 🙏

[fairclothjm]

LGTM! Should we add some test coverage to assert this behavior?