Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP Auth backend breaks on v0.8.3 for some configurations #3402

Closed
hugespoon opened this issue Sep 29, 2017 · 5 comments
Closed

LDAP Auth backend breaks on v0.8.3 for some configurations #3402

hugespoon opened this issue Sep 29, 2017 · 5 comments
Milestone
0.9.1

Comments

@hugespoon
Copy link

Environment:

  • Vault Version: v0.8.3
  • Operating System/Architecture:
    Ubuntu 16.04 x86_64

Expected Behavior:
LDAP Auth backend should authenticate correctly.

Actual Behavior:

# vault auth -method=ldap username=myuser
Password (will be hidden):
Error making API request.

URL: PUT https://vault.mydomain.com/v1/auth/ldap/login/myuser
Code: 400. Errors:

* LDAP bind (service) failed: unable to read LDAP response packet: unexpected EOF

Steps to Reproduce:
Configure LDAP as follows:

Key            	Value
---            	-----
binddn         	CN=Admin,CN=Users,DC=mydomain,DC=com
bindpass       	BINDPASS
certificate
deny_null_bind 	true
discoverdn     	false
groupattr      	memberOf
groupdn        	OU=SSO,DC=mydomain,DC=com
groupfilter    	(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls   	false
starttls       	false
tls_max_version	tls12
tls_min_version	tls11
upndomain
url            	ldap://ldap.mydomain.com
userattr       	samaccountname
userdn         	OU=SSO,DC=mydomain,DC=com

Important Factoids:
I've been unable to reproduce this issue on v0.7.3 through v0.8.2. Only v0.8.3 seems to be at issue.

References:
This is the only recent LDAP related issue that I could find.
#3293
@jefferai
Copy link
Member

jefferai commented Oct 2, 2017

Presumably your bind password is not empty? (as in, you're doing authenticated binds?)

@jefferai jefferai added this to the 0.8.4 milestone Oct 2, 2017
@hugespoon
Copy link
Author

Yes, I just redacted the bindpass.

@jefferai
Copy link
Member

Any chance you can build from current master? We're not seeing reports from any other user on 0.8.3 and I looked at the updates to the underlying library and there isn't anything obvious, but there have been more updates between the version in 0.8.3 and now.

@snesbittsea
Copy link

FWIW, I am seeing this error as well on Vault version 8.2 while attempting to authenticate against a Samba 4.3.11 ActiveDirectory instance in an Ubuntu 16.04 x86_64 environment.

@jefferai jefferai modified the milestones: 0.9.0, 0.9.1 Nov 14, 2017
@aprousas aprousas mentioned this issue Dec 6, 2017
Closed
@jefferai
Copy link
Member

jefferai commented Dec 7, 2017

I am relatively positive that this is a duplicate of #3656. Closing as there is more debugging happening there, but I believe this should be fixed in 0.9.1. If you are able to test the branch referenced in that issue that would be great!

@jefferai jefferai closed this as completed Dec 7, 2017
jefferai added a commit that referenced this issue Dec 9, 2017
@jefferai
Update go-ldap with our patch for control packets.
58e705c 
Fixes #3656
Fixes #3625
Fixes #3402
@jefferai jefferai mentioned this issue Dec 9, 2017
Merged
jefferai added a commit that referenced this issue Dec 9, 2017
@jefferai
Update go-ldap with our patch for control packets. (#3670)
3386e8d 
Fixes #3656
Fixes #3625
Fixes #3402
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.9.1
Development

No branches or pull requests
3 participants
@jefferai @hugespoon @snesbittsea