Problem
When using the Active Directory Secrets Engine or LDAP Secrets Engine, Vault will need to rotate the password of an account that it has been charged with managing. If it is unable to do so, all further attempts to manage the account will fail. If you've verified the BindDN account in use has the proper permissions for performing this task, you may be seeing one of the following two errors in Vault's operational logs:
LDAP Result Code 53 "Unwilling To Perform"
or
unable to read LDAP response packet: read tcp x.x.x.x:38688->y.y.y.y:389: read: connection reset by peer
Prerequisites (if applicable)
- Vault > 1.0
- Active Directory Secrets Engine - deprecated as of the Vault 1.13 release
- LDAP Secrets Engine
Cause
- Active Directory will only support password changes over a secure connection.
Solutions:
When configuring Vault to communicate with your Active Directory infrastructure, you used a URL in the form of `ldap://a.b.c.d` instead of `ldaps://a.b.c.d`. Though Vault can communicate over an unsecured LDAP connection, it will be unable to rotate passwords due to a requirement on Active Directory's side. Talk with your Active Directory administrator about setting up LDAPS, usually on port 636/tcp. After that, you can reconfigure the AD Secrets Engine to use the new URL.