-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault 1.13.2 custom policy is not working as previous vault version i.e. Vault 1.13.0 #20979
Comments
This all-in-one-line policy is pretty hard to read. Personally, I suggest you switch to representing policies in HCL, rather than JSON - it aids readability, and readability is important for security controls. You say that is your policy for ldap users ... is it truly your intention to give every LDAP user in your organization administrator-level access to do pretty much anything in Vault?!
I strongly suspect that if you look at the policies that are active ( I think you're seeing the defect that was introduced in 1.13.2 detailed in #20416 |
@maxb Thanks a lot, yeah it was not policy related issue. I went through #20416 and found the max page size configuration in Access>Auth methods>ldap>configure and made it -1 and it started working. While going through the discussion, mostly are saying it's a bug. But I'm not sure what this function(max_page_size) does! Anyway thanks again, this workaround will work for now. Not closing this topic as I might get more answers on same from community members. If no activity happens, I'll close it. |
It informs the LDAP server to provide the list of groups that a user is in, in multiple chunks (pages) - it exists mainly to work around wrongheaded defaults in Active Directory, which refuses to return more than 1000 groups in one response... but is quite happy to serve up multiple searches for the same large set of groups, sliced into pages of 1000 each.
Yes, the defect in Vault is that it sets the value to zero on upgrade to 1.13.2, and zero is an invalid value per the LDAP spec. As a result, the LDAP server says "no" and Vault goes "I guess the user isn't in any groups, then". |
Thank you for the explanation @maxb !!!! :) |
Since #20453 has merged for Vault 1.13.3, fixing #20416, which is now out, I'm going to go ahead and close this. Feel free to re-open this if that didn't solve the problem :-) |
Hello,
We have deployed latest vault image in our production environment which is Vault 1.13.2 but we are facing issue with permission with LDAP users while access different tabs after login. Below is our internal custom policy for ldap users
Same policy is being used in Vault 1.13.0 but there all users are able to login and view secrets/access/policies
But in 1.13.2, when LDAP user tries to access "Access" then below error comes up
when he/she tries to access "Policies" tab then below error pops-up
Also in "Secrets" tab we have archive,cubbyhole and secret directories created but only cubbyhole is visible.
I tried below solution and added path - sys/auth* in our custom policy but still same error
#6876
Has something changes in new Image "Vault 1.13.2" compared to 1.13.0? Please help me out here.
(@cipherboy: edited for formatting)
The text was updated successfully, but these errors were encountered: