Login tokens don't expire

[mateibarbu-sphs]

Hi,

I am logging using LDAP, with File backend configured, and i want users to be forced to reconnect every 10 minutes if there is no movement in the UI Vault, but no matter what TTL and maximum TTL i use, i don't get logged out.
If i check my token duration it says it has 30 days life TTL and is renewable.

Also another issue would be that even though i have this 30 day TTL, i get a new token everytime i log in.

How do i implement this or is it a bug?

Vault v0.10.0
Linux

[meirish]

Hello, it sounds like there's a couple different things going on here.

Currently, if the token you're logged in with is renewable, the Vault UI will renew that token so long as you're active in the UI. If you're inactive, after a threshold (I believe currently it's 3 minutes), it will stop auto-renewing and show a notice telling you as much. Once the token is expired, the UI will just render an notice that your token is expired and you'll still have to log out and log in. If you're not seeing the described behavior, it's certainly a bug.

Also another issue would be that even though i have this 30 day TTL, i get a new token everytime i log in.

This is how all authentication methods other than the token method work - every time you authenticate you will get a new token.

[mateibarbu-sphs]

Thank you for answering on both my threads Meirish!

Well, yes i do get the message about me being away, but it says my auth token will be valid for 30 more days, even though i've put in ttl 1 minute, 5 minutes to test.

Am i not configuring it correctly? I am using the UI and edit the Access, Authentification, Ldap and set default TTL at 5 minutes and maximum TTL at 10 minutes. After 10 minutes i should be prompted to relog, correct?

What would be the equivalent command to do this in CLI to update the current Ldap configuration?Maybe it can work from there.

Thank you for taking the time to answer!
Br, Matei

[jefferai]

How are you setting the ttl/max ttl? On the mount or inside the ldap config?

[mateibarbu-sphs]

Hi Jefferai, thank you for answering!

I am editing in the Access tab, Auth Methods category, ldap "folder" ( the other one is "token" ). I guess it is mount, but i am not very familiar and i don't want to confuse you.

This is the copy paste from where i can configure:

Ldap
Type ldap
Path ldap/
Description
Accessor auth_ldap_6bf141dc
Local No
Seal wrap No
Default Lease TTL 5m
Max Lease TTL 10m

[jefferai]

I can't reproduce:

$vault auth enable ldap
Success! Enabled ldap auth method at: ldap/

$ vault auth tune -default-lease-ttl=5m -max-lease-ttl=10m ldap
Success! Tuned the auth method at: ldap/

$ vault write auth/ldap/config url="ldap://ldap.forumsys.com" userattr="uid" userdn="dc=example,dc=com" groupdn="dc=example,dc=com"
Success! Data written to: auth/ldap/config

$ vault write auth/ldap/groups/Scientists policies=foo
Success! Data written to: auth/ldap/groups/Scientists

$ vault login -method=ldap username=tesla
Password (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  0c02105e-9a60-5e88-6327-0a56cd3d2953
token_accessor         40371ea2-42d9-1c7a-aa7e-2af422ee101d
token_duration         5m
token_renewable        true
token_policies         [default foo]
token_meta_username    tesla

$ vault token-renew -increment=15m
WARNING! The "vault token-renew" command is deprecated. Please use "vault
token renew" instead. This command will be removed in Vault 0.11 (or later).

WARNING! The following warnings were returned from Vault:

  * TTL of "15m0s" exceeded the effective max_ttl of "9m26s"; TTL value is
  capped accordingly

Key                    Value
---                    -----
token                  0c02105e-9a60-5e88-6327-0a56cd3d2953
token_accessor         40371ea2-42d9-1c7a-aa7e-2af422ee101d
token_duration         9m26s
token_renewable        true
token_policies         [default foo]
token_meta_username    tesla

As you can see, after successful login, the token gets a 5m ttl and attempts to go beyond that are not allowed.

[mateibarbu-sphs]

Thank you for helping me Jeff!

I've used the tune command and it works correctly after it, but the config in the UI is still bugged.

I've tuned for 2 minutes expiration time, but in the UI it remains with 10minutes as before, but it does work correctly, logging me off after 2 minutes. I will configure using the tune command and thank you very much for helping me!

Best regards,
Matei

[meirish]

Could be a bug in the UI (sounds like it). I’ll double-check.

[meirish]

Yep, that was the case - the UI saves TTLs correctly when enabling an auth method, but not on mount tunes. Fixed in the linked PR though - thanks for reporting!