LDAP bind fail #3656
Comments
|
Hi,
I don't see anything obvious in the code. Going by your observation, I am
not sure if its the shell that's adding those extra characters. Can you try
supplying the bindpass in quotes?
vault write auth/ldap/config url=URL \
binddn="cn=vault,ou=Users,dc=example,dc=com" \
bindpass="PASS" \
userattr=sAMAccountName
Regards,
Vishal
…On Wed, Dec 6, 2017 at 11:11 AM, aprousas ***@***.***> wrote:
*Environment:*
- Vault Version: v0.9.0 and v0.8.3
- Operating System/Architecture: CentOS 7.2 x86_64
*Vault Config File:*
backend "file" {
path = "secrets"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
disable_mlock = true
*Vault LDAP Config*
vault write auth/ldap/config url=URL \
binddn="cn=vault,ou=Users,dc=example,dc=com" \
bindpass=PASS \
userattr=sAMAccountName
*Expected Behavior:*
Authenticate user using LDAP auth backend.
*Actual Behavior:*
$ vault auth -method=ldap username=myuser
Password (will be hidden):
Error making API request.
URL: PUT http://0.0.0.0:8200/v1/auth/ldap/login/myuser
Code: 400. Errors:
* LDAP bind (service) failed: unable to read LDAP response packet: unexpected EOF
I have captured the communication between Vault and the LDAP server and
noticed that there is a problem with the LDAP bind request.
Vault produces the following LDAP bind request (taken from Wireshark) :
40 55 39 b6 21 67 00 0c 29 f2 4d 32 08 00 45 00 @u9.!g..).M2..E.
00 6b b9 70 40 00 40 06 b5 fe c0 a8 00 42 0a 00 .***@***.***@......B..
00 34 de 28 01 85 1e 11 a7 ac d9 50 f9 6c 80 18 .4.(.......P.l..
00 e5 cb 7b 00 00 01 01 08 0a 0b 83 1f 0b a8 f0 ...{............
e3 23 30 35 02 01 01 60 30 02 01 03 04 23 63 6e .#5...`0....#cn
3d 76 61 75 6c 74 2c 6f 75 3d 55 73 65 72 73 2c =vault,ou=Users,
64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f dc=example,dc=co
6d 80 04 50 41 53 53 a0 00 m..PASS..
I compared the above with a working scenario and I noted that in the
working scenario there were no characters just after the "PASS". This made
me think that in the above request the problem lies in the last two
characters *(a0 00)* which they are the 'breaking space' and the 'null
character'. Could this be the problem? If so, what is the way to work
around it? Can anyone justify why these are there?
*References:*
Maybe it is related to issue #3402
<#3402>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3656>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AC6YaH7T9Q1-37PpknBVv6bktEZr0VSoks5s9ry_gaJpZM4Q4Kd3>
.
--
vn
|
|
Hello @vishalnayak , Thank you for your quick response. I've tried supplying the bindpass in quotes but it failed again for the same reason. I've also experimented with multiple ldap configuration option values and combinations but all failed. The LDAP bind requests which are produced by ldapsearch tool work fine and do not contain any extra characters after the "PASS". It seems that Vault adds those extra characters, but I cannot figure out what causes this problem. |
|
@aprousas It looks like the problem in the underlying library which Vault is using, |
|
I can't say for sure whether the control characters are incorrect or not, but I can successfully log in when those are present: Trace: |
|
I appreciate your feedback. I hear you. So you mean that those two characters are not the problem. But do you have an indication then what the problem might be? Sorry, but I'm complete lost here and i'm struggling to figure out what the case is. I hope you understand. Thanks for your feedback, too. Waiting for your feedback Best regards, PS: I'm using an Active Directory Service in AWS , should you believe it could be an issue with the compatibility with the LDAP server |
|
@aprousas any chance you can build Vault? I have a potential change to the go-ldap library, would be good to see if it fixes things for you. |
|
If you can build and test the |
|
@jefferai I will try it and let you know about the results. Thanks! |
|
go-ldap/ldap#142 has been approved but not merged yet; #3625 was fixed by that change, so for sure I will make sure that either the updated lib or my patched version are in 0.9.1. Extra verification from you would be great as well. |
|
@aprousas BTW your wireshark debugging was totally invaluable for solving this. Thanks so much for it! |
|
@jefferai I've built Vault from Thank you for your help! |
|
Great! |
Environment:
Vault Config File:
Vault LDAP Config
Expected Behavior:
Authenticate user using LDAP auth backend.
Actual Behavior:
I have captured the communication between Vault and the LDAP server and noticed that there is a problem with the LDAP bind request.
Vault produces the following LDAP bind request (taken from Wireshark) :
I compared the above with a working scenario and I noted that in the working scenario there were no characters just after the "PASS". This made me think that in the above request the problem lies in the last two characters (a0 00) which they are the 'breaking space' and the 'null character'. Could this be the problem? If so, what is the way to work around it? Can anyone justify why these are there?
References:
Maybe it is related to issue #3402
The text was updated successfully, but these errors were encountered: