LDAP allows for what is called anonymous binding: a way to use the LDAP server to search the Active Directory (AD) for the desired user without authenticating first. Once the user is found, their bind password is then required in order to authenticate and complete requests.
Vault utilizes this feature as well: it binds anonymously to the AD, looks up the user specified in its config, then supplies the password given in its
However, if no password is supplied, it will remain in an anonymous state, unable to receive requests. This issue is easily overlooked upon LDAP configuration, as Vault has no flag to alert that it is bound anonymously.
- Users cannot authenticate.
- No LDAP-related entries are written to operational logs.
Prerequisites (if applicable)
- Knowledge of anonymous bind concept in LDAP.
- Any LDAP server that allows anonymous bind.
These errors are thrown in the UI and CLI respectively after LDAP authentication attempt:
Authentication failed: TypeError: Cannot read properties of undefined (reading 'auth')
Error authenticating: empty response from credential provider
After attempting to view Vault's LDAP role file:
Failing to set the
bindpass parameter causes this error. LDAP requires a password for the user in AD in order to recognize, bind, and serve the client. This password must also be the value for Vault's
bindpass parameter in its LDAP config file for the specified user. With an empty password field, Vault will have nothing to supply the AD when prompted, and remain in an anonymous state. I'll note that from Vault's perspective, nothing is out of the ordinary here, as it is just following the anonymous bind step in the lightweight directory access protocol.
Overview of possible solutions (if applicable)
- Make sure the bind password in AD maps exactly to Vault's
bindpassparameter for the configured user.
Take this opportunity to verify the rest of the user's profile in AD maps to their Vault counterparts.
- Some LDAP servers have an option to disable anonymous binding
Successful authentication of Vault using LDAP.
Records viewable in logs.
Wiki explanation of bind step.