Introduction
Problem
If you are utilising the LDAP or AD secret engine and encounter the error below when attempting to generate dynamic credentials you may find the historical limit of 20 characters imposed on the sAMAccountName attribute within Active Directory is the cause of the issue.
Prerequisites
- Either the AD secret engine in use within Vault or the LDAP secret engine (Vault 1.12.0+) with
schema=adconfigured. - Windows Server as the LDAP backend.
- You may see entries within Event Viewer with ID 1175 that show the following error:
Internal event: A privileged operation (rights required = 0x) on object CN=v_dynamic-role_1677735420,OU=Users,DC=local,DC=domain failed because a non-security related error occurred.
- You may see entries within Event Viewer with ID 1175 that show the following error:
- When attempting to generate credentials you may see the following error:
Error reading ldap/creds/dynamic-role: Error making API request.
URL: GET https://vault.nicecorp.tld:8200/v1/ldap/creds/dynamic-role
Code: 500. Errors:
* 2 errors occurred:
* failed to create user: failed to execute statements: failed to run AddRequest: LDAP Result Code 80 "Other": 00000523: SysErr: DSID-031A1242, problem 22 (Invalid argument), data 0
* failed to roll back user creation: failed to execute statements: 1 error occurred:
* failed to run DelRequest: LDAP Result Code 32 "No Such Object": 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=dynamic-creds,OU=ldap-secret-engine,DC=local,DC=domain'Cause
- The default
username_templateused by Vault will result in the attempted creation of users within Active Directory whosesAMAccountNameattribute are larger than 20 characters. The defaultusername_templateuses the following format:v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}} - The 20 character limit imposed on the
sAMAccountNameattribute within Active Directory.
Overview of possible solutions
Solution:
In order to validate if the root cause of the issue is the 20 character limit on the sAMAccountName attribute within Active Directory you can adjust the configuration on the role within the secret engine and attempt to generate credentials by supplying a custom username_template value to the LDAP/AD role update endpoint, for example the following configuration:
vault write ldap/role/dynamic-role creation_ldif=@create.ldif
rollback_ldif=@rollback-del.ldif deletion_ldif=@rollback-del.ldif
default_ttl=5m max_ttl=24h username_template="v_{{unix_time}}"
Will result in a username created called with a sAMAccountName of v_1677802518.
Once the role has been updated attempt to generate multiple sets of credentials, i.e.
vault read ldap/creds/dynamic-role.
If this is successful and no further errors are encountered you should consult the documentation at https://developer.hashicorp.com/vault/api-docs/secret/ldap#username-template-fields and https://developer.hashicorp.com/vault/api-docs/secret/ldap#template-functions to gain an understanding of the available fields that can be used within the username_template function in order to generate unique account names that fit within the 20 character limit. Once a suitable template has been decided on you can update the role configuration to use the appropriate template.
Outcome
Once the username_template has been updated to generate a username that is less than 20 characters user creation should succeed.