Problem

I wrote the binding configurations and made sure that the binding has been successful via wireshark. When I write the role configuration by adding the "service_account_name="[email protected]"" attribute, it returns a message saying:

Code: 500. Errors: 
* 1 error occurred: 
* unable to find service account named testaccount in active directory, searches are case sensitive

The account is there and I can login to ldap server in this form [email protected].
I used wireshark to inspect the packets and it appears that 'userPrincipalName' is used to search for the account in ldap.

How to reproduce

Having an ldap server running and vault server running, unsealed and all variables are exported,
First, enable Active Directory secret engine:

vault secrets enable ad

Second, configure the secret engine:

vault write ad/config binddn='uid=testuser,cn=users,cn=accounts,dc=domain,dc=net' bindpass='testpass' userdn='cn=users,cn=accounts,dc=domain,dc=net' url="ldap://ldap.domain.net" insecure_tls=true

Third, write role configurations:

vault write ad/roles/testuser service_account_name='[email protected]'

Also, I am not sure why but it seems it is not an option to choose which filter to use for ldap searches which is userPrincipalName parameter. I recognized this from wireshark inspection then looked into the ad plugin afterwards.

Thanks

hello,

I looked at:
https://github.com/hashicorp/vault-plugin-secrets-ad/blob/master/plugin/backend_test.go

and was hoping to use it to do a quick test.
so I started a vault server, enabled the ad engine: vault secrets enable ad

then created the following config

vault write ad/config \
    binddn='euclid' \
    bindpass='password' \
    url='ldap://ldap.forumsys.com:389' \
    userdn='cn=read-only-admin,dc=example,dc=com'

but I get an error on the role:

vault write ad/roles/test_role service_account_name="[email protected]" ttl="10"

Error writing data to ad/roles/test_role: Error making API request.

URL: PUT http://localhost:8200/v1/ad/roles/test_role
Code: 500. Errors:

* 1 error occurred:
	* LDAP Result Code 34 "Invalid DN Syntax": invalid DN

is that supposed to work?
if not, any instructions to achieve similar?

thanks

Scenario:

• A role matching an AD account is configured in this secrets engine
• The AD account is later deleted, or has its userPrincipalName changed

Because *backend.readRole expects to be able to query AD:

two poor behaviours now occur:

• Any attempt to read the role (GET /ad/roles/:name) results in an internal server error
• Any attempt to update the role with the new userPrincipalName (POST/PUT /ad/roles/:name) also results in an error

Expected behaviours:

• Reading a role for which the corresponding account has gone missing in AD, should successfully return the existing configuration - possibly along with a warning.
• Writing new correct configuration over a role in this state should succeed, without requiring a workaround of deleting and recreating it.

Hey yall anyone having a hard time using the Vault AD Engine and trying to setup a library?
I get an error:
Error writing data to ad/library/x-team: Error making API request.

URL: PUT https://vault.x.io/v1/ad/library/x-team
Code: 404. Errors:

1 error occurred:

• unsupported path

This is my call:
vault write -f ad/library/x-team service_account_names="[email protected],[email protected]" ttl=2h max_ttl=8h

FWIW - The act of creating a role does work.

Has the path been deprecated? Is it specific to a version of Vault? I am on?

We are serving: Vault 1.2.4+prem
My local install of the vault CLI is: Vault v1.3.2+ent

Issue Summary

The documentation for the AD secrets engine requires the following:

• binddn a distinguished name for the object that will be bound when attempting to search AD
• bindpass the password for the object identified by the binddn (above)

Additionally there are two optional configuration parameters:

• userdn the distinguished name of the base object (OU) to be used when searching for users
• upndomain a 'user principal name' domain (i.e. suffix of a userPrincipalName)

The documentation for upndomain contains the following:

The constructed UPN will appear as [username]@UPNDomain. Example: example.com, which will cause vault to bind as [email protected].

The first issue is that username doesn't appear in the documentation at all, and thus is confusing for the reader/Vault operator.

The second issue is that if upndomain is supplied then binddn is ignored as a DN, and instead, the value supplied for the binddn and the upndomain are concatenated together with an @ between them. Therefore binddn as a parameter name is misleading in this context.

This causes problems as it requires Vault operators to know that by supplying upndomain (e.g. vaultproject.io) they will be required to 'repurpose' binddn as the prefix for the userPrincipalName (i.e. bob in the userPrincipalName: [email protected]) that should be used to bind to LDAP.

From having a glance at the code, I believe this to be a bug, albeit one that's always been there, also the documentation isn't clear users.

Suggestion:

• Don't try to repurpose the Vault core ldaputil/config fields within this plugin, consider adding additional fields to the plugin/client/config such as binddn, bindupn
• Clarify and improve the public documentation about the priority/precedence of using the config params
• Stretch goal: userdn is also a bit misleading as it's actually just the base DN for searches to start at, it would be awesome if this could be renamed something more intuative such as searchbasedn

When I add this plugin to Vault's plugin catalog then try to configure it, I receive:

2019-03-27T10:18:16.561-0700 [DEBUG] secrets.active-directory.active-directory_5b0eacd7.active-directory: starting plugin: path=/home/tbex/go/src/github.com/hashicorp/vault-plugin-secrets-ad/bin/vault-plugin-secrets-active-directory args=[/home/tbex/go/src/github.com/hashicorp/vault-plugin-secrets-ad/bin/vault-plugin-secrets-active-directory]
2019-03-27T10:18:16.562-0700 [DEBUG] secrets.active-directory.active-directory_5b0eacd7.active-directory: plugin started: path=/home/tbex/go/src/github.com/hashicorp/vault-plugin-secrets-ad/bin/vault-plugin-secrets-active-directory pid=25274
2019-03-27T10:18:16.562-0700 [DEBUG] secrets.active-directory.active-directory_5b0eacd7.active-directory: waiting for RPC address: path=/home/tbex/go/src/github.com/hashicorp/vault-plugin-secrets-ad/bin/vault-plugin-secrets-active-directory
2019-03-27T10:18:16.565-0700 [ERROR] secrets.active-directory.active-directory_5b0eacd7.active-directory.vault-plugin-secrets-active-directory: plugin tls init: error="no vault api_addr found" timestamp=2019-03-27T10:18:16.565-0700
2019-03-27T10:18:16.565-0700 [DEBUG] secrets.active-directory.active-directory_5b0eacd7.active-directory: plugin process exited: path=/home/tbex/go/src/github.com/hashicorp/vault-plugin-secrets-ad/bin/vault-plugin-secrets-active-directory pid=25274
2019-03-27T10:18:16.565-0700 [ERROR] core: failed to run existence check: error="plugin exited before we could connect"