Bug with "login error missing entity alias attribute value" was not fixed in version 1.16.1

[hennadii2012]

Describe the bug
When I am trying to login into vault, using LDAP after upgrade from 1.13.2 to 1.16.1 - I get an error: Authentication failed missing entity alias attribute value
Downgrade to version 1.15.6 fix this issue

To Reproduce
Steps to reproduce the behavior:

1. Upgrade to version 1.16.1
2. Use google ldap (When you login, you are using user without @domain.name, but in alias stored user with @domain.name)
3. Try login, using ldap

Expected behavior
Login via LDAP on version 1.16+ is working as it did on version 1.15.6

Environment:

• Vault Server Version (1.16.1):
• Vault CLI Version (1.16.1):
• Server Operating System/Architecture: docker (bitnami image with tag 1.16.1. Main os is ubuntu 20)

Vault server configuration file(s):

storage "raft" {
  path    = "/vault/file"
  node_id = "vault1"


  retry_join {
    leader_tls_servername   = "vault1.example.com"
    leader_api_addr         = "https://vault1.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
  retry_join {
    leader_tls_servername   = "vault2.example.com"
    leader_api_addr         = "https://vault2.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
  retry_join {
    leader_tls_servername   = "vault3.example.com"
    leader_api_addr         = "https://vault3.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
}
listener "tcp" {
  address            = "0.0.0.0:8200"
  cluster_addr       = "0.0.0.0:8201"
  tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
  tls_key_file       = "/opt/vault/tls/vault-key.pem"
  tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
}
telemetry {
  prometheus_retention_time = "15m"
  disable_hostname = true
}
api_addr          = "https://vault1.example.com:8200"
cluster_addr      = "https://vault1.example.com:8201"
ui                = true
disable_mlock     = true
default_lease_ttl = "168h"
max_lease_ttl     = "720h"
log_level         = "Error"
seal "gcpckms" {
  credentials = "/opt/vault/gcp_service_account.json"
  project     = "project-id"
  region      = "global"
  key_ring    = "keyring"
  crypto_key  = "key-ring"
}

Additional context

LDAP config

Key                          Value                                                      
anonymous_group_search       false                                                      
binddn                                                                                  
case_sensitive_names         false                                                      
certificate                                                                             
connection_timeout           0                                                          
deny_null_bind               true                                                       
dereference_aliases                                                                     
discoverdn                   false                                                      
groupattr                    memberOf                                                   
groupdn                      ou=Groups,dc=example,dc=com                                   
groupfilter                  (&(uniqueMember=uid={{.Username}},ou=Users,dc=example,dc=com))
insecure_tls                 false                                                      
max_page_size                0                                                          
request_timeout              90                                                         
starttls                     false                                                      
tls_max_version              tls12                                                      
tls_min_version              tls12                                                      
token_bound_cidrs            []                                                         
token_explicit_max_ttl       0                                                          
token_max_ttl                0                                                          
token_no_default_policy      false                                                      
token_num_uses               0                                                          
token_period                 0                                                          
token_policies               []                                                         
token_ttl                    0                                                          
token_type                   default                                                    
upndomain                    example.com                                                   
url                          ldaps://ldap.example.com                                  
use_pre111_group_cn_behavior false                                                      
use_token_groups             false                                                      
userattr                     mail                                                       
userdn                       ou=Users,dc=example,dc=com                                    
userfilter                   ({{.UserAttr}}={{.Username}})                              
username_as_alias            false  

[jasonodonnell]

I was able to login using a similar config as yours without issue on 1.16.1, however, I did not use Google LDAP. I will try to reproduce with that specific implementation.

[jasonodonnell]

@hennadii2012 I think I might see the problem. Prior to 1.16, Vault was doing something clever when upndomain was set. Instead of trying to use the value set for userattr (in your case that would be mail), it would set the alias username to be <username>@<upndomain>. Now that it's using a different library, it's honoring userattr and breaking for you.

Can you check the user account in Google's LDAP and make sure the mail attribute is set on the entity? I'm seeing its a valid field but I suspect the value is empty: https://support.google.com/a/answer/9188164?hl=en.

[hennadii2012]

@jasonodonnell , I am not sure in 100%, how to check, that entity set. But looks like no, because, I can set uid, cn, mail as userattr and in all cases I see success auth on LDAP server side, but Authentication failed: missing entity alias attribute value on side of the vault.
Also I tried to delete existing alias to give vault possibility to set it automatically and it also did not help
The same situation with deletion of entity
Looks like vault do not execute any actions for now if upndomain is exists

[jasonodonnell]

@hennadii2012 The error is happening because LDAP isn't returning the user attributes you are asserting should be there (userattr). I attempted to use Google's LDAP service but it requires an enterprise Google account which I currently don't have access to.

To debug further, I'm wondering if you would be able to use the ldapsearch tool to check the user attributes:

ldapsearch -x -H ldaps://ldap.example.com -D <admin_dn> -W -b ou=Users,dc=example,dc=com mail

[hennadii2012]

@jasonodonnell , I get mail in the answer of my ldap server

root@4bcab5e557b7:/# ldapsearch -x -H ldaps://ldap.example.com -D admin -W -b ou=Users,dc=example,dc=com mail |grep test_user
Enter LDAP Password:
ldap_bind: Success (0)
	additional info: Valid access code
# test_user, Users, example.com
dn: uid=test_user,ou=Users,dc=example,dc=com
mail: test_user@example.com

[jasonodonnell]

Thanks @hennadii2012, that's valuable info. Now to understand why Vault isn't seeing that 😅.

Few things I want to check:

• Are you using Vault CE or Enterprise?
• Can you confirm that your server is 1.16.1 and seeing this issue?
• Do you see the same login failure on the CLI as well?

[hennadii2012]

Hello, thank you for your attention to this issue.

Are you using Vault CE or Enterprise? - Vault CE
Can you confirm that your server is 1.16.1 and seeing this issue? - Yes, I have version 1.16.1 of server installed
Do you see the same login failure on the CLI as well? - Yes, the problem is the same via cli

vault login -method=ldap username=test_user
Password (will be hidden):
Error authenticating: Error making API request.

URL: PUT https://vault.example.com/v1/auth/ldap/login/test_user
Code: 400. Errors:

* missing entity alias attribute value

[ldipaolaIT]

Hello, same issue when upgrading Vault from version 1.8.5 to version 1.16.0-1 in an Ubuntu 20.04 operating system. Any workaround or fix?

[timonych]

I had similiar problem with LDAP.

My user was in another OU unit that in LDAP configuration (OU=users,DC=domain)
OU unit was OU=admin,DC=domain.

After moving usert to corrent User DN (OU=users,DC=domain) the problem is gone.

[hennadii2012]

@ldipaolaIT , some issue with ldap were fixed in version 1.16.1 (but not my). Could you check, please, if your issue was fixed in version 1.16.1?

[ldipaolaIT]

Hello @hennadii2012 , I have upgraded to version 1.16.2 and the issue is fixed. Many thanks!