Introduction
Problem
When the LDAP authentication method is configured, the first Vault client login via the newly configured LDAP authentication method results in "ldap operation failed: failed to bind as user" error being returned to the Vault client.
Cause
The mentioned error is usually caused for the following reasons:
-
The value specified for binddn parameter is not correct or it does not exist in the LDAP tree.
- The value for bindpass parameter is either empty or it is incorrect in relation to the specified LDAP user via the binddn parameter.
- The value for upndomain parameter does not match the UserPrincipalName derived in the LDAP (AD) server.
Solutions:
- Make sure the user object specified via binddn parameter actually exists in your LDAP tree and the DN is correct.
- Make sure that theĀ bindpass parameter is set correctly and login via the specified password is possible outside of the Vault.
- Make sure the UserPrincipalName (AD) matches the user object upndomain configured in Vault LDAP auth configuration.
- Make sure the user object specified is accessible by using external utilities such as
ldapsearch. For example:
LDAPTLS_REQCERT=never ldapsearch -H ldaps://<ldapserver_ip_or_dns>:636 \
-D cn=Administrator,cn=users,dc=yourorg,dc=com -W -b cn=users,dc=yourorg,dc=com \
-s sub "(&(userPrincipalName=vault@yourorg.com))"
-
- Replace
cn=Administrator,cn=users,dc=yourorg,dc=comwith the binddn value specified in the LDAP Auth method configuration. - Replace
cn=users,dc=yourorg,dc=com,with the userdn value specified in the LDAP Auth method configuration. - Replace
vault@yourorg.comwith the LDAP user specified during Vault login.
- Replace
Outcome
When binddn and bindpass parameters are set correctly, and UserPrincipalName constructs to match upndomain in Vault LDAP auth configuration; Vault clients should be able to login to the Vault server without observing the ldap operation failed: failed to bind as
user error.