Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault LDAP Auth backend does not work against AWS Simple AD. #3625

Closed
askulkarni2 opened this issue Nov 28, 2017 · 4 comments
Closed

Vault LDAP Auth backend does not work against AWS Simple AD. #3625

askulkarni2 opened this issue Nov 28, 2017 · 4 comments

Comments

@askulkarni2
Copy link

Environment:

  • Vault Version: Vault v0.9.0 ('bdac1854478538052ba5b7ec9a9ec688d35a3335')

  • Operating System/Architecture:
    AWS EC2 Ubuntu 16.04.3 LTS
    Vault running as a docker container.

sudo docker version
Client:
 Version:      17.09.0-ce
 API version:  1.32
 Go version:   go1.8.3
 Git commit:   afdb6d4
 Built:        Tue Sep 26 22:42:18 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.09.0-ce
 API version:  1.32 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   afdb6d4
 Built:        Tue Sep 26 22:40:56 2017
 OS/Arch:      linux/amd64
 Experimental: false

Vault Config File:
sudo docker run --cap-add=IPC_LOCK -d -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:1234' vault

Startup Log Output:

==> Vault server configuration:

                     Cgo: disabled
         Cluster Address: https://0.0.0.0:1235
              Listener 1: tcp (addr: "0.0.0.0:1234", cluster address: "0.0.0.0:1235", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
        Redirect Address: http://0.0.0.0:1234
                 Storage: inmem
                 Version: Vault v0.9.0
             Version Sha: bdac1854478538052ba5b7ec9a9ec688d35a3335

2017/11/28 20:19:44.619396 [INFO ] core: security barrier not initialized
2017/11/28 20:19:44.619575 [INFO ] core: security barrier initialized: shares=1 threshold=1
2017/11/28 20:19:44.619873 [INFO ] core: post-unseal setup starting
2017/11/28 20:19:44.634859 [INFO ] core: loaded wrapping token key
2017/11/28 20:19:44.634872 [INFO ] core: successfully setup plugin catalog: plugin-directory=
2017/11/28 20:19:44.636016 [INFO ] core: successfully mounted backend: type=kv path=secret/
2017/11/28 20:19:44.636050 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2017/11/28 20:19:44.636278 [INFO ] core: successfully mounted backend: type=system path=sys/
2017/11/28 20:19:44.638627 [INFO ] core: successfully mounted backend: type=identity path=identity/
2017/11/28 20:19:44.639844 [INFO ] expiration: restoring leases
2017/11/28 20:19:44.642462 [INFO ] rollback: starting rollback manager
2017/11/28 20:19:44.642576 [INFO ] identity: entities restored
2017/11/28 20:19:44.642593 [INFO ] identity: groups restored
2017/11/28 20:19:44.642606 [INFO ] core: post-unseal setup complete
2017/11/28 20:19:44.642779 [INFO ] core: root token generated
2017/11/28 20:19:44.642783 [INFO ] core: pre-seal teardown starting
2017/11/28 20:19:44.642786 [INFO ] core: cluster listeners not running
2017/11/28 20:19:44.642832 [INFO ] expiration: lease restore complete
2017/11/28 20:19:44.652942 [INFO ] rollback: stopping rollback manager
2017/11/28 20:19:44.652987 [INFO ] core: pre-seal teardown complete
2017/11/28 20:19:44.653067 [INFO ] core: vault is unsealed
2017/11/28 20:19:44.653105 [INFO ] core: post-unseal setup starting
2017/11/28 20:19:44.653159 [INFO ] core: loaded wrapping token key
2017/11/28 20:19:44.653162 [INFO ] core: successfully setup plugin catalog: plugin-directory=
2017/11/28 20:19:44.653353 [INFO ] core: successfully mounted backend: type=kv path=secret/
2017/11/28 20:19:44.653475 [INFO ] core: successfully mounted backend: type=system path=sys/
2017/11/28 20:19:44.653644 [INFO ] core: successfully mounted backend: type=identity path=identity/
2017/11/28 20:19:44.653655 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2017/11/28 20:19:44.654336 [INFO ] expiration: restoring leases
2017/11/28 20:19:44.654431 [INFO ] rollback: starting rollback manager
2017/11/28 20:19:44.654503 [INFO ] identity: entities restored
2017/11/28 20:19:44.654514 [INFO ] identity: groups restored
2017/11/28 20:19:44.654525 [INFO ] core: post-unseal setup complete
2017/11/28 20:19:44.657407 [INFO ] expiration: lease restore complete
==> WARNING: Dev mode is enabled!

In this mode, Vault is completely in-memory and unsealed.
Vault is configured to only have a single unseal key. The root
token has already been authenticated with the CLI, so you can
immediately begin using the Vault CLI.

The only step you need to take is to set the following
environment variables:

    export VAULT_ADDR='http://0.0.0.0:1234'

The unseal key and root token are reproduced below in case you
want to seal/unseal the Vault or play with authentication.

Unseal Key: XXXXXXXXXXX=
Root Token: myroot

==> Vault server started! Log data will stream in below:

Expected Behavior:
Vault LDAP Auth backend should work against AWS Simple AD.

Openldap clients such as ldapsearch work against AWS Simple AD without any issue, so I would expect Vault LDAP backend to work as well.

E.g.

ldapsearch -v -x -LLL -H ldap://aws-simple-ad-ip -D username@domain.com -W -b dc=domain,dc=com sAMAccountName

Actual Behavior:
Get the error:
LDAP bind (service) failed: unable to read LDAP response packet: unexpected EOF

Steps to Reproduce:

# vault auth-enable ldap
Successfully enabled 'ldap' at 'ldap'!

# vault write auth/ldap/config url="ldap://aws-simple-ad-ip:389" groupdn="dc=domain,dc=com" userattr="sAMAccountName" upndomain="domain.com" groupattr="memberOf" discoverdn=true
Success! Data written to: auth/ldap/config

# vault write auth/ldap/groups/operators policies=default
Success! Data written to: auth/ldap/groups/operators

# vault auth -method=ldap username=username
Password (will be hidden):
Error making API request.

URL: PUT http://localhost:1234/v1/auth/ldap/login/username
Code: 400. Errors:

* LDAP bind (service) failed: unable to read LDAP response packet: unexpected EOF
@jefferai
Copy link
Member

jefferai commented Dec 4, 2017

Do you see anything in Vault's logs? You're showing only stdout there; Vault's server logs go to stderr after Vault starts.

@jefferai
Copy link
Member

jefferai commented Dec 7, 2017

May be related to #3656

@askulkarni2
Copy link
Author

@jefferai I did not see anything in the stderr logs. But I rebuilt Vault as specified in #3656 using the test-goldap-fix branch and that seems to have fixed the issue. I am getting another error but that seems to be related to the ldap parameters I am specifying. Thank you for the help!

@jefferai
Copy link
Member

jefferai commented Dec 7, 2017

Gotcha. Marking (even though this came first) as a duplicate of #3656 then!

@jefferai jefferai closed this as completed Dec 7, 2017
@jefferai jefferai mentioned this issue Dec 7, 2017
Closed
jefferai added a commit that referenced this issue Dec 9, 2017
@jefferai
Update go-ldap with our patch for control packets.
58e705c 
Fixes #3656
Fixes #3625
Fixes #3402
@jefferai jefferai mentioned this issue Dec 9, 2017
Merged
jefferai added a commit that referenced this issue Dec 9, 2017
@jefferai
Update go-ldap with our patch for control packets. (#3670)
3386e8d 
Fixes #3656
Fixes #3625
Fixes #3402
@jefferai jefferai mentioned this issue Dec 9, 2017
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jefferai @askulkarni2