This article explains a known issue with certain versions of HashiCorp Vault when using LDAP authentication. If you are encountering problems with LDAP group policies not being attached to tokens after a Vault upgrade, this article aims to provide a solution.
Problem
In Vault versions 1.13.2, 1.12.6, or 1.11.10, with an existing LDAP Auth configuration, users are able to log in but they encounter an error of type:
"no LDAP groups found in groupDN...only policies from locally-defined groups available".
This error message indicates that the LDAP-related policies aren't getting attached to the tokens.
Prerequisites (if applicable)
- Vault versions 1.13.2, 1.12.6, or 1.11.10
- An existing LDAP Auth configuration
Cause
-
This problem is a regression in the Vault versions mentioned above. In these versions, the
max_page_sizein the LDAP configuration is being set to 0 instead of the intended default. The zero value prevents the server from returning any results, leading to the error message and the problem with the LDAP-related policies not being attached to the tokens.
Solutions:
A permanent fix for this issue has been included in Vault versions 1.14.0, 1.13.3, 1.12.7 and 1.11.11. For those who cannot immediately upgrade to these versions, an alternative solution is available:
On the Vault CLI write a new configuration for the LDAP auth method. Use the following command, which disables pagination and has been observed to resolve the issue:
vault write auth/ldap/config max_page_size=-1
Outcome
After either upgrading to Vault versions 1.14.0, 1.13.3, 1.12.7 or 1.11.11, or applying the workaround, you should be able to log in without encountering the error message. To confirm the problem is solved, check that the LDAP-related policies are now being attached to the tokens.