LDAP Anonymous Binding: Auth Error

Avatar
Clayton Platt
  • Updated

 

Introduction

LDAP allows for what is called anonymous binding: a way to use the LDAP server to search the Active Directory (AD) for the desired user without authenticating first.  Once the user is found, their bind password is then required in order to authenticate and complete requests.

Vault utilizes this feature as well: it binds anonymously to the AD, looks up the user specified in its config, then supplies the password given in its bindpass parameter.

However, if no password is supplied, it will remain in an anonymous state, unable to receive requests.  This issue is easily overlooked upon LDAP configuration, as Vault has no flag to alert that it is bound anonymously.

 

Problem

  • Users cannot authenticate.
  • No LDAP-related entries are written to operational logs.

Prerequisites (if applicable)

  • Knowledge of anonymous bind concept in LDAP.
  • Any LDAP server that allows anonymous bind.

Symptoms

These errors are thrown in the UI and CLI respectively after LDAP authentication attempt:

Authentication failed: TypeError: Cannot read properties of undefined (reading 'auth')
Error authenticating: empty response from credential provider

 

After attempting to view Vault's LDAP role file:

{
"errors": []
}

 

Cause

Failing to set the bindpass parameter causes this error.  LDAP requires a password for the user in AD in order to recognize, bind, and serve the client.  This password must also be the value for Vault's bindpass parameter in its LDAP config file for the specified user.  With an empty password field, Vault will have nothing to supply the AD when prompted, and remain in an anonymous state.  I'll note that from Vault's perspective, nothing is out of the ordinary here, as it is just following the anonymous bind step in the lightweight directory access protocol.

 

Overview of possible solutions (if applicable)

Solutions:

  • Make sure the bind password in AD maps exactly to Vault's bindpass parameter for the configured user.

  • Take this opportunity to verify the rest of the user's profile in AD maps to their Vault counterparts.

  • Some LDAP servers have an option to disable anonymous binding

Outcome

Successful authentication of Vault using LDAP.

Records viewable in logs.

Additional Information

Articles in this section

See more

Related articles