Introduction
In some cases the following error message is intermittently reported by the connected LDAP directory when Vault is attempting to rotate the password for static credentials managed by Vault's LDAP secrets engine:
1 error occurred: unable to finish rotating credentials; retries will continue in the background but it is also safe to retry manually: LDAP Result Code 53 "Unwilling To Perform": 0000052D: SvcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM)
In this specific scenario the LDAP Directory server used by the LDAP secrets engine is a Microsoft Active Directory.
Prerequisites (if applicable)
- Vault LDAP secrets engine
- Microsoft Active Directory
- Microsoft Active Directory Password Policy with Password Complexity requirements enabled
Cause
The current definition of the Microsoft password complexity requirements is as follows:
If this policy is enabled, passwords MUST meet the following minimum requirements: MUST NOT contain the user's account name or parts of the user's full name that exceed two consecutive characters. MUST be at least six characters in length. MUST contain characters from three of the following categories:
English uppercase characters (A through Z). English lowercase characters (a through z).
Base 10 digits (0 through 9). No alphanumeric characters (for example, !, $, #, %).
Complexity requirements MUST be enforced when passwords are changed or created.
Note: this definition might change at any time.
The Default Vault Password policy looks as follows:
length = 20
rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
rule "charset" { charset = "0123456789" min-chars = 1 }
rule "charset" { charset = "-" min-chars = 1 }
If the issue occurs intermittently, the following password rule on the Active Directory side could be the reason:
MUST NOT contain the user's account name or parts of the user's full name that exceed two consecutive characters
If the password generated by Vault contains the 3 first characters of the username specified for the static role, the following error message might be returned by the connected LDAP directory while Vault is attempting to change or set the password.
LDAP Result Code 53 "Unwilling To Perform": 0000052D: SvcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM)
Overview of possible solutions (if applicable)
Solution:
If a naming pattern for the usernames exists , the first 3 characters of the usernames could be excluded in the character sets defined in the Vault Password policy which can be assigned to the Vault LDAP secrets engine.
Given the following Active Directory username:CN=ldaptest,cn=users,dc=local,dc=ad the Vault Password policy could be as follows:
length = 20
rule "charset" { charset = "bcefghijkmnopqrstuvwxyz" min-chars = 1 }
rule "charset" { charset = "BCEFGHIJKMNOPQRSTUVWXYZ" min-chars = 1 }
rule "charset" { charset = "0123456789" min-chars = 1 }
rule "charset" { charset = "-" min-chars = 1 }
The above scenario serves as an example of a possible reason for this issue to occur, other scenarios should also be considered.
Outcome
After modifying the Vault Password policy accordingly the issue should no longer occur.