auth/ldap: add username_as_alias configurable #14324

jasonodonnell · 2022-03-01T19:16:43Z

This adds a new config parameter to the LDAP util SDK username_as_alias. A change in #11000 resulted in alias names changing, which has broken a number of users in 1.9+. Using this parameter, an operator can change alias names back.

For example, if LDAP auth was configured with no binddn or bindpass, in 1.8.8 the alias name would be:

[~] vault read identity/alias/id/66c3a58f-9a72-26cf-f5a9-438528398eb3
Key                          Value
---                          -----
...
mount_accessor               auth_ldap_6af4105c
mount_path                   auth/ldap/
mount_type                   ldap
name                         bob
namespace_id                 root

However, in 1.9.3, the same config would result in alias names like this:

[~] vault read identity/alias/id/67656061-c8d2-8379-a7a5-dfa2c89659c9
Key                          Value
---                          -----
...
mount_accessor               auth_ldap_01e39e22
mount_path                   auth/ldap/
mount_type                   ldap
name                         cn=bob,CN=Users,DC=corp,DC=example,DC=net
namespace_id                 root

jasonodonnell · 2022-03-01T19:49:27Z

Known issue PR opened here: #14325.

sdk/helper/ldaputil/config.go

builtin/credential/ldap/path_login.go

calvn · 2022-03-14T22:01:28Z

Should the label be all the way back to 1.8.10?

There is a bug that was introduced in the LDAP authentication method by hashicorp#11000. It was thought to be backward compatible but has broken a number of users. Later a new parameter `username_as_alias` was introduced in hashicorp#14324 to make it possible for operators to restore the previous behavior. The way it is currently working is not completely backward compatible thought because when username_as_alias is set, a call to GetUserAliasAttributeValue() will first be made, then this value is completely discarded in pathLogin() and replaced by the username as expected. This is an issue because it makes useless calls to the LDAP server and will break backward compatibility if one of the constraints in GetUserAliasAttributeValue() is not respected, even though the resulting value will be discarded anyway. In order to maintain backward compatibility here we have to only call GetUserAliasAttributeValue() if necessary. Since this change of behavior was introduced in 1.9, this fix will need to be backported to the 1.9, 1.10 and 1.11 branches.

* Fix handling of username_as_alias during LDAP authentication There is a bug that was introduced in the LDAP authentication method by #11000. It was thought to be backward compatible but has broken a number of users. Later a new parameter `username_as_alias` was introduced in #14324 to make it possible for operators to restore the previous behavior. The way it is currently working is not completely backward compatible thought because when username_as_alias is set, a call to GetUserAliasAttributeValue() will first be made, then this value is completely discarded in pathLogin() and replaced by the username as expected. This is an issue because it makes useless calls to the LDAP server and will break backward compatibility if one of the constraints in GetUserAliasAttributeValue() is not respected, even though the resulting value will be discarded anyway. In order to maintain backward compatibility here we have to only call GetUserAliasAttributeValue() if necessary. Since this change of behavior was introduced in 1.9, this fix will need to be backported to the 1.9, 1.10 and 1.11 branches. * Add changelog * Add tests * Format code * Update builtin/credential/ldap/backend.go Co-authored-by: Calvin Leung Huang <[email protected]> * Format and fix declaration * Reword changelog Co-authored-by: Calvin Leung Huang <[email protected]>

* Fix handling of username_as_alias during LDAP authentication There is a bug that was introduced in the LDAP authentication method by #11000. It was thought to be backward compatible but has broken a number of users. Later a new parameter `username_as_alias` was introduced in #14324 to make it possible for operators to restore the previous behavior. The way it is currently working is not completely backward compatible thought because when username_as_alias is set, a call to GetUserAliasAttributeValue() will first be made, then this value is completely discarded in pathLogin() and replaced by the username as expected. This is an issue because it makes useless calls to the LDAP server and will break backward compatibility if one of the constraints in GetUserAliasAttributeValue() is not respected, even though the resulting value will be discarded anyway. In order to maintain backward compatibility here we have to only call GetUserAliasAttributeValue() if necessary. Since this change of behavior was introduced in 1.9, this fix will need to be backported to the 1.9, 1.10 and 1.11 branches. * Add changelog * Add tests * Format code * Update builtin/credential/ldap/backend.go Co-authored-by: Calvin Leung Huang <[email protected]> * Format and fix declaration * Reword changelog Co-authored-by: Calvin Leung Huang <[email protected]> # Conflicts: # builtin/credential/ldap/backend_test.go

…#15556) * Fix handling of username_as_alias during LDAP authentication There is a bug that was introduced in the LDAP authentication method by #11000. It was thought to be backward compatible but has broken a number of users. Later a new parameter `username_as_alias` was introduced in #14324 to make it possible for operators to restore the previous behavior. The way it is currently working is not completely backward compatible thought because when username_as_alias is set, a call to GetUserAliasAttributeValue() will first be made, then this value is completely discarded in pathLogin() and replaced by the username as expected. This is an issue because it makes useless calls to the LDAP server and will break backward compatibility if one of the constraints in GetUserAliasAttributeValue() is not respected, even though the resulting value will be discarded anyway. In order to maintain backward compatibility here we have to only call GetUserAliasAttributeValue() if necessary. Since this change of behavior was introduced in 1.9, this fix will need to be backported to the 1.9, 1.10 and 1.11 branches. * Add changelog * Add tests * Format code * Update builtin/credential/ldap/backend.go Co-authored-by: Calvin Leung Huang <[email protected]> * Format and fix declaration * Reword changelog Co-authored-by: Calvin Leung Huang <[email protected]> # Conflicts: # builtin/credential/ldap/backend_test.go Co-authored-by: Rémi Lapeyre <[email protected]>

…rp#15525) * Fix handling of username_as_alias during LDAP authentication There is a bug that was introduced in the LDAP authentication method by hashicorp#11000. It was thought to be backward compatible but has broken a number of users. Later a new parameter `username_as_alias` was introduced in hashicorp#14324 to make it possible for operators to restore the previous behavior. The way it is currently working is not completely backward compatible thought because when username_as_alias is set, a call to GetUserAliasAttributeValue() will first be made, then this value is completely discarded in pathLogin() and replaced by the username as expected. This is an issue because it makes useless calls to the LDAP server and will break backward compatibility if one of the constraints in GetUserAliasAttributeValue() is not respected, even though the resulting value will be discarded anyway. In order to maintain backward compatibility here we have to only call GetUserAliasAttributeValue() if necessary. Since this change of behavior was introduced in 1.9, this fix will need to be backported to the 1.9, 1.10 and 1.11 branches. * Add changelog * Add tests * Format code * Update builtin/credential/ldap/backend.go Co-authored-by: Calvin Leung Huang <[email protected]> * Format and fix declaration * Reword changelog Co-authored-by: Calvin Leung Huang <[email protected]>

jasonodonnell requested a review from a team March 1, 2022 19:16

jasonodonnell added this to the 1.9.5 milestone Mar 1, 2022

vercel bot temporarily deployed to Preview – vault-storybook March 1, 2022 19:21 Inactive

vercel bot temporarily deployed to Preview – vault March 1, 2022 19:21 Inactive

vercel bot temporarily deployed to Preview – vault March 1, 2022 19:23 Inactive

vercel bot temporarily deployed to Preview – vault-storybook March 1, 2022 19:23 Inactive

vercel bot temporarily deployed to Preview – vault-storybook March 4, 2022 18:22 Inactive

vercel bot deployed to Preview – vault March 4, 2022 18:22 View deployment

calvn reviewed Mar 4, 2022

View reviewed changes

sdk/helper/ldaputil/config.go Show resolved Hide resolved

builtin/credential/ldap/path_login.go Outdated Show resolved Hide resolved

jasonodonnell requested a review from taoism4504 as a code owner March 14, 2022 19:05

vercel bot deployed to Preview – vault March 14, 2022 19:05 View deployment

vercel bot temporarily deployed to Preview – vault-storybook March 14, 2022 19:05 Inactive

auth/ldap: add username_as_alias config flag

c6f67ab

jasonodonnell force-pushed the auth-ldap-alias-username branch from a1ae3c4 to c6f67ab Compare March 14, 2022 19:48

vercel bot deployed to Preview – vault March 14, 2022 19:48 View deployment

vercel bot temporarily deployed to Preview – vault-storybook March 14, 2022 19:48 Inactive

calvn approved these changes Mar 14, 2022

View reviewed changes

jasonodonnell modified the milestones: 1.9.5, 1.8.10 Mar 15, 2022

jasonodonnell added backport/1.9.x labels Mar 15, 2022

jasonodonnell merged commit b064da3 into main Mar 15, 2022

jasonodonnell deleted the auth-ldap-alias-username branch March 15, 2022 14:21

jasonodonnell added a commit that referenced this pull request Mar 15, 2022

auth/ldap: add username_as_alias config flag (#14324)

b0fbdab

jasonodonnell mentioned this pull request Mar 15, 2022

Backport of auth/ldap: add username_as_alias configurable into release/1.8.x #14500

Merged

jasonodonnell added a commit that referenced this pull request Mar 15, 2022

auth/ldap: add username_as_alias config flag (#14324) (#14500)

ae06a8e

remilapeyre mentioned this pull request May 19, 2022

Fix handling of username_as_alias during LDAP authentication #15525

Merged

This was referenced May 20, 2022

Backport of Fix handling of username_as_alias during LDAP authentication into release/1.9.x #15556

Merged

Backport of Fix handling of username_as_alias during LDAP authentication into release/1.10.x #15557

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

auth/ldap: add username_as_alias configurable #14324

auth/ldap: add username_as_alias configurable #14324

jasonodonnell commented Mar 1, 2022 •

edited

Loading

jasonodonnell commented Mar 1, 2022

calvn commented Mar 14, 2022

auth/ldap: add username_as_alias configurable #14324

auth/ldap: add username_as_alias configurable #14324

Conversation

jasonodonnell commented Mar 1, 2022 • edited Loading

jasonodonnell commented Mar 1, 2022

calvn commented Mar 14, 2022

jasonodonnell commented Mar 1, 2022 •

edited

Loading