Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap group search anonymous bind regression in 1.16.0 #26183

Closed
cjnosal opened this issue Mar 27, 2024 · 1 comment · Fixed by #26200
Closed

ldap group search anonymous bind regression in 1.16.0 #26183

cjnosal opened this issue Mar 27, 2024 · 1 comment · Fixed by #26200
Labels
auth/ldap bug Used to indicate a potential bug reproduced This issue has been reproduced by a Vault engineer

Comments

@cjnosal
Copy link

cjnosal commented Mar 27, 2024

Describe the bug
ldap login fails after upgrading 1.15.6->1.16.0

To Reproduce
Steps to reproduce the behavior:
0. apt install vault=1.16.0-1

  1. vault auth enable ldap
  2. configure ldap auth with anonymous group bind 
    vault write auth/ldap/config \
  url=ldaps://ldap.home.arpa \
  userdn="ou=People,dc=home,dc=arpa" \
  userattr=uid \
  discoverdn=true \
  anonymous_group_search=true \
  groupdn="ou=Groups,dc=home,dc=arpa" \
  groupattr=cn \
  groupfilter="(member={{.UserDN}})"
  3. Run vault login -no-print -method=ldap and enter valid username and password
  4. See error 
                                                                                                                                                                      
URL: PUT https://vault.home.arpa:8200/v1/auth/ldap/login/cnosal                                                                                                       
Code: 400. Errors:                                                                                                                                                    
                                                                                                                                                                      
* ldap.(Client).Authenticate: group search anonymous bind failed: LDAP Result Code 53 "Unwilling To Perform": unauthenticated bind (DN with no password) disallowed

Expected behavior
DN shouldn't be sent when performing anonymous group search

Environment:

  • Vault Server Version (retrieve with vault status): 1.16.0
  • Vault CLI Version (retrieve with vault version): Vault v1.16.0 (c20eae3e84c55bf5180ac890b83ee81c9d7ded8b), built 2024-03-25T12:01:32Z
  • Server Operating System/Architecture: ubuntu jammy amd64

Vault server configuration file(s):

ui = true
api_addr = "ldap.home.arpa:8200"

disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

Additional context
The ldap configuration worked with vault 1.15.6.
The LDAP server allows anonymous reads.
@heatherezell heatherezell added auth/ldap bug Used to indicate a potential bug labels Mar 27, 2024
@fairclothjm
Copy link
Contributor

Thank you for reporting @cjnosal! We are working on a fix

@fairclothjm fairclothjm added the reproduced This issue has been reproduced by a Vault engineer label Mar 27, 2024
fairclothjm added a commit that referenced this issue Mar 28, 2024
@fairclothjm
auth/ldap: fix login errors
5ed10a0 
This fixes 2 ldap auth login errors

* Missing entity alias attribute value
  * Vault relies on case insensitive user attribute keys for mapping user
    attributes to entity alias metadata. This sets the appropriate
    configs in the cap library.

* ldap group search anonymous bind regression
  * Anonymous group searches can be rejected by some LDAP servers if
    they contain a userDN. This sets the configs in the cap library to
    specify unauthenticated binds for anonymous group searches should
    exclude a DN.

Closes #26171
Closes #26183
@fairclothjm fairclothjm mentioned this issue Mar 28, 2024
Merged
fairclothjm added a commit that referenced this issue Mar 28, 2024
@fairclothjm
auth/ldap: fix login errors (#26200)
7d575bf 
* auth/ldap: fix login errors

This fixes 2 ldap auth login errors

* Missing entity alias attribute value
  * Vault relies on case insensitive user attribute keys for mapping user
    attributes to entity alias metadata. This sets the appropriate
    configs in the cap library.

* ldap group search anonymous bind regression
  * Anonymous group searches can be rejected by some LDAP servers if
    they contain a userDN. This sets the configs in the cap library to
    specify unauthenticated binds for anonymous group searches should
    exclude a DN.

Closes #26171
Closes #26183

* changelog

* go mod tidy

* go get cap/ldap@latest and go mod tidy
Closed
fairclothjm added a commit that referenced this issue Mar 28, 2024
@fairclothjm
auth/ldap: fix login errors (#26200)
95a0bdb 
* auth/ldap: fix login errors

This fixes 2 ldap auth login errors

* Missing entity alias attribute value
  * Vault relies on case insensitive user attribute keys for mapping user
    attributes to entity alias metadata. This sets the appropriate
    configs in the cap library.

* ldap group search anonymous bind regression
  * Anonymous group searches can be rejected by some LDAP servers if
    they contain a userDN. This sets the configs in the cap library to
    specify unauthenticated binds for anonymous group searches should
    exclude a DN.

Closes #26171
Closes #26183

* changelog

* go mod tidy

* go get cap/ldap@latest and go mod tidy
digivava pushed a commit that referenced this issue Mar 28, 2024
@fairclothjm
auth/ldap: fix login errors (#26200) (#26206)
09d9519 
* auth/ldap: fix login errors

This fixes 2 ldap auth login errors

* Missing entity alias attribute value
  * Vault relies on case insensitive user attribute keys for mapping user
    attributes to entity alias metadata. This sets the appropriate
    configs in the cap library.

* ldap group search anonymous bind regression
  * Anonymous group searches can be rejected by some LDAP servers if
    they contain a userDN. This sets the configs in the cap library to
    specify unauthenticated binds for anonymous group searches should
    exclude a DN.

Closes #26171
Closes #26183

* changelog

* go mod tidy

* go get cap/ldap@latest and go mod tidy
@fairclothjm fairclothjm mentioned this issue Apr 5, 2024
Merged
@fairclothjm fairclothjm mentioned this issue Apr 9, 2024
Merged
fairclothjm added a commit that referenced this issue Apr 9, 2024
@fairclothjm
ldap/auth: add tests for login regressions
6497006 
Add tests to cover the regressions reported in
- #26171
- #26183
Merged
fairclothjm added a commit that referenced this issue Apr 10, 2024
@fairclothjm
ldap/auth: add tests for login regressions (#26327)
f2b5290 
* ldap/auth: add tests for login regressions

Add tests to cover the regressions reported in
- #26171
- #26183

* fix tests; update image tag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/ldap bug Used to indicate a potential bug reproduced This issue has been reproduced by a Vault engineer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

auth/ldap: fix login errors hashicorp/vault
3 participants
@cjnosal @fairclothjm @heatherezell