Introduction
Problem
When the LDAP authentication method is configured, the first Vault client login via the newly configured LDAP authentication method results in "ldap operation failed: failed to bind as user" error being returned to the Vault client.
Cause
The mentioned error is usually caused for the following reasons:
-
The value specified for binddn parameter is not correct or it does not exist in the LDAP tree.
- The value for bindpass parameter is either empty or it is incorrect in relation to the specified LDAP user via the binddn parameter.
- The value for upndomain parameter does not match the UserPrincipalName derived in the LDAP (AD) server.
Solutions:
- Make sure the user object specified via binddn parameter actually exists in your LDAP tree and the DN is correct.
- Make sure that theĀ bindpass parameter is set correctly and login via the specified password is possible outside of the Vault.
- Make sure the UserPrincipalName (AD) matches the user object upndomain configured in Vault LDAP auth configuration.
- Make sure the user object specified is accessible by using external utilities such as "ldapsearch".
Outcome
When binddn and bindpass parameters are set correctly, and UserPrincipalName constructs to match upndomain in Vault LDAP auth configuration; Vault clients should be able to login to the Vault server without observing the "ldap operation failed: failed to bind as user" error.