hashicorp
Bug with "login error missing entity alias attribute value" was not fixed in version 1.16.1
Describe the bug When I am trying to login into vault, using LDAP after upgrade from 1.13.2 to 1.16.1 - I get an error: Authentication failed missing entity alias attribute value Downgrade to version 1.15.6 fix this issue
To Reproduce Steps to reproduce the behavior:
- Upgrade to version 1.16.1
- Use google ldap (When you login, you are using user without @domain.name, but in alias stored user with @domain.name)
- Try login, using ldap
Expected behavior Login via LDAP on version 1.16+ is working as it did on version 1.15.6
Environment:
- Vault Server Version (1.16.1):
- Vault CLI Version (1.16.1):
- Server Operating System/Architecture: docker (bitnami image with tag 1.16.1. Main os is ubuntu 20)
Vault server configuration file(s):
storage "raft" {
path = "/vault/file"
node_id = "vault1"
retry_join {
leader_tls_servername = "vault1.example.com"
leader_api_addr = "https://vault1.example.com:8200"
leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem"
leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
leader_client_key_file = "/opt/vault/tls/vault-key.pem"
}
retry_join {
leader_tls_servername = "vault2.example.com"
leader_api_addr = "https://vault2.example.com:8200"
leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem"
leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
leader_client_key_file = "/opt/vault/tls/vault-key.pem"
}
retry_join {
leader_tls_servername = "vault3.example.com"
leader_api_addr = "https://vault3.example.com:8200"
leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem"
leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
leader_client_key_file = "/opt/vault/tls/vault-key.pem"
}
}
listener "tcp" {
address = "0.0.0.0:8200"
cluster_addr = "0.0.0.0:8201"
tls_cert_file = "/opt/vault/tls/vault-cert.pem"
tls_key_file = "/opt/vault/tls/vault-key.pem"
tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
}
telemetry {
prometheus_retention_time = "15m"
disable_hostname = true
}
api_addr = "https://vault1.example.com:8200"
cluster_addr = "https://vault1.example.com:8201"
ui = true
disable_mlock = true
default_lease_ttl = "168h"
max_lease_ttl = "720h"
log_level = "Error"
seal "gcpckms" {
credentials = "/opt/vault/gcp_service_account.json"
project = "project-id"
region = "global"
key_ring = "keyring"
crypto_key = "key-ring"
}
Additional context
LDAP config
Key Value
anonymous_group_search false
binddn
case_sensitive_names false
certificate
connection_timeout 0
deny_null_bind true
dereference_aliases
discoverdn false
groupattr memberOf
groupdn ou=Groups,dc=example,dc=com
groupfilter (&(uniqueMember=uid={{.Username}},ou=Users,dc=example,dc=com))
insecure_tls false
max_page_size 0
request_timeout 90
starttls false
tls_max_version tls12
tls_min_version tls12
token_bound_cidrs []
token_explicit_max_ttl 0
token_max_ttl 0
token_no_default_policy false
token_num_uses 0
token_period 0
token_policies []
token_ttl 0
token_type default
upndomain example.com
url ldaps://ldap.example.com
use_pre111_group_cn_behavior false
use_token_groups false
userattr mail
userdn ou=Users,dc=example,dc=com
userfilter ({{.UserAttr}}={{.Username}})
username_as_alias false
I was able to login using a similar config as yours without issue on 1.16.1, however, I did not use Google LDAP. I will try to reproduce with that specific implementation.
@hennadii2012 I think I might see the problem. Prior to 1.16, Vault was doing something clever when upndomain was set. Instead of trying to use the value set for userattr (in your case that would be mail), it would set the alias username to be <username>@<upndomain>. Now that it's using a different library, it's honoring userattr and breaking for you.
Can you check the user account in Google's LDAP and make sure the mail attribute is set on the entity? I'm seeing its a valid field but I suspect the value is empty: https://support.google.com/a/answer/9188164?hl=en.
@jasonodonnell , I am not sure in 100%, how to check, that entity set. But looks like no, because, I can set uid, cn, mail as userattr and in all cases I see success auth on LDAP server side, but Authentication failed: missing entity alias attribute value on side of the vault.
Also I tried to delete existing alias to give vault possibility to set it automatically and it also did not help
The same situation with deletion of entity
Looks like vault do not execute any actions for now if upndomain is exists
@hennadii2012 The error is happening because LDAP isn't returning the user attributes you are asserting should be there (userattr). I attempted to use Google's LDAP service but it requires an enterprise Google account which I currently don't have access to.
To debug further, I'm wondering if you would be able to use the ldapsearch tool to check the user attributes:
ldapsearch -x -H ldaps://ldap.example.com -D <admin_dn> -W -b ou=Users,dc=example,dc=com mail
@jasonodonnell , I get mail in the answer of my ldap server
root@4bcab5e557b7:/# ldapsearch -x -H ldaps://ldap.example.com -D admin -W -b ou=Users,dc=example,dc=com mail |grep test_user
Enter LDAP Password:
ldap_bind: Success (0)
additional info: Valid access code
# test_user, Users, example.com
dn: uid=test_user,ou=Users,dc=example,dc=com
mail: [email protected]
Thanks @hennadii2012, that's valuable info. Now to understand why Vault isn't seeing that 😅.
Few things I want to check:
- Are you using Vault CE or Enterprise?
- Can you confirm that your server is 1.16.1 and seeing this issue?
- Do you see the same login failure on the CLI as well?
Hello, thank you for your attention to this issue.
Are you using Vault CE or Enterprise? - Vault CE Can you confirm that your server is 1.16.1 and seeing this issue? - Yes, I have version 1.16.1 of server installed Do you see the same login failure on the CLI as well? - Yes, the problem is the same via cli
vault login -method=ldap username=test_user
Password (will be hidden):
Error authenticating: Error making API request.
URL: PUT https://vault.example.com/v1/auth/ldap/login/test_user
Code: 400. Errors:
* missing entity alias attribute value
Hello, same issue when upgrading Vault from version 1.8.5 to version 1.16.0-1 in an Ubuntu 20.04 operating system. Any workaround or fix?
I had similiar problem with LDAP.
My user was in another OU unit that in LDAP configuration (OU=users,DC=domain) OU unit was OU=admin,DC=domain.
After moving usert to corrent User DN (OU=users,DC=domain) the problem is gone.
@ldipaolaIT , some issue with ldap were fixed in version 1.16.1 (but not my). Could you check, please, if your issue was fixed in version 1.16.1?
Hello @hennadii2012 , I have upgraded to version 1.16.2 and the issue is fixed. Many thanks!
@hennadii2012 : try to clear the upndomain (set it to empty string, ""). I couldn't get username login to work with upndomain set.
It works with upn “”, but completely break the logic for policies, that were based on domain, so all users would need to be recreated. I hoped, that I would not need to go with this way
From: Eero Aaltonen @.> Sent: Wednesday, July 31, 2024 4:17:19 PM To: hashicorp/vault @.> Cc: Nikitin, Hennadii @.>; Mention @.> Subject: Re: [hashicorp/vault] Bug with "login error missing entity alias attribute value" was not fixed in version 1.16.1 (Issue #26568)
@hennadii2012https://github.com/hennadii2012 : try to clear the upndomain (set it to empty string, ""). I couldn't get username login to work with upndomain set.
— Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/vault/issues/26568#issuecomment-2260634728, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AVZ2VPSLVVSINT2JW4TGEY3ZPDWW7AVCNFSM6AAAAABGQJARJCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRQGYZTINZSHA. You are receiving this because you were mentioned.Message ID: @.***>