This article explains a known issue with certain versions of HashiCorp Vault when using LDAP authentication. If you are encountering problems with LDAP group policies not being attached to tokens after a Vault upgrade, this article aims to provide a solution.
Problem
After upgrading to Vault versions 1.13.2, 1.12.6, or 1.11.10, with an existing LDAP Auth configuration, users are able to log in but they encounter an error of type:
"no LDAP groups found in groupDN...only policies from locally-defined groups available".
This error message indicates that the LDAP-related policies aren't getting attached to the tokens.
Prerequisites (if applicable)
- Vault versions 1.13.2, 1.12.6, or 1.11.10
- An existing LDAP Auth configuration
Cause
-
This problem is a regression in the Vault versions mentioned above. In these versions, the
max_page_sizein the LDAP configuration is being set to 0 instead of the intended default. The zero value prevents the server from returning any results, leading to the error message and the problem with the LDAP-related policies not being attached to the tokens.
Overview of possible solutions
The solution to this problem is to manually set the max_page_size configuration option instead of relying on the default behavior. This should be the primary solution to this issue, until a permanent fix is released.
Solutions:
On the Vault CLI write a new configuration for the LDAP auth method. Use the following command, which disables pagination and has been observed to resolve the issue:
vault write auth/ldap/config max_page_size=-1
Outcome
After applying the workaround, you should be able to log in without encountering the error message. To confirm the problem is solved, check that the LDAP-related policies are now being attached to the tokens.