Vault UI Does not Configure LDAP Auth BindDN Correctly

[eugene-davis]

Describe the bug
When using the UI to set up LDAP auth as opposed to the CLI, the BindDN account is not used, and instead it attempts to bind using the user's account. When it is configured via the CLI, it works as expected.

To Reproduce
Steps to reproduce the behavior:

1. Configure LDAP authentication with an BindDN account from the web UI ( https://vaulturl.com:8200/ui/vault/settings/auth/configure/ldap/configuration )
2. Attempt to login via LDAP, see the authentication
3. See Error authenticating: Error Making AP request message (reproduced in full below).
4. Configure the LDAP the same way, via Vault CLI, i.e.

 vault write auth/ldap/config \
  url="ldap://ldapserver.com" \
  binddn="CN=vault,OU=service,OU=users,O=org,C=com" \
  bindpass="password" \
  userdn="OU=employees,OU=users,O=org,C=com" \
  userattr="sAMAccountName" \
  groupdn="CN=groups, O=org, C=com" \
  groupattr="cn" \
  insecure_tls=false

Expected behavior
Configuration from the UI and Vault CI should result in identical configurations.

Environment:

• Vault Server Version (retrieve with vault status): 1.0.2
• Vault CLI Version (retrieve with vault version): v1.0.2 ('37a1dc9c477c1c68c022d2084550f25bf20cac33')
• Server Operating System/Architecture: CentOS Linux release 7.6.1810 (Core)/AMD64

Vault server configuration file(s):

listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/etc/vault.d/vaulturl.com.cer"
  tls_key_file  = "/etc/vault.d/vaulturl.com.key"
}


storage "file" {
  path = "/srv/vault/data"
}

Additional context
The password for the bind user contained a special character, maybe the UI doesn't escape the string correctly? I had to escape it in the call the Vault CLI, but the same escape doesn't solve the problem in the web UI.

Flawed Capture Sample from LDAP (Wireshark "Follow Stream" scrubbed):

0N...`I....4samaccountname=user,OU=users,O=org,C=com..password....i...a....`
.1...Y8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 2030, v3839.

This is associated with this message from the CLI:

Error authenticating: Error making API request.

URL: PUT https://vaulturl.com:8200/v1/auth/ldap/login/user
Code: 400. Errors:

* ldap operation failed

[tyrannosaurus-becks]

@eugene-davis thanks for adding this issue! I believe the UI is just passing through the value without editing it or escaping anything.

Can you make up and share a fake password with special character in it? And then share how you provide it in the UI and CLI, both escaped and not escaped?

Thanks!

[eugene-davis]

@tyrannosaurus-becks sure, let's use a$ecret.

CLI - Unescaped and Non-Functional

 vault write auth/ldap/config \
  url="ldap://ldapserver.com" \
  binddn="CN=vault,OU=service,OU=users,O=org,C=com" \
  bindpass="a$ecret" \
  userdn="OU=employees,OU=users,O=org,C=com" \
  userattr="sAMAccountName" \
  groupdn="CN=groups, O=org, C=com" \
  groupattr="cn" \
  insecure_tls=false

I know for a fact this version returns the same authentication errors as it was the first way I attempted to perform configuration, but I don't have a wireshark capture so its possible it behaves differently than the UI issue.

CLI - Escaped and Working

 vault write auth/ldap/config \
  url="ldap://ldapserver.com" \
  binddn="CN=vault,OU=service,OU=users,O=org,C=com" \
  bindpass="a\$ecret" \
  userdn="OU=employees,OU=users,O=org,C=com" \
  userattr="sAMAccountName" \
  groupdn="CN=groups, O=org, C=com" \
  groupattr="cn" \
  insecure_tls=false

UI
I used the same configuration setup by the above CLI command, and tried both a$ecret and a\$ecret for the weird issue where it tried to use the username entered by the user rather than the bind DN to bind.

[meirish]

Fixed by #7206