I have a Vault server backed by a Consul cluster and integrated with my LDAP server, it works fine with my LDAP server and every thing goes well with it, but the only thing is I cannot renew the tokens generated by these logins.
To Reproduce
Steps to reproduce the behaviour:
vault login -method=ldap username=myusername -renewable=true and get the token as following:Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.wCQedkMmX61EJszE64HqPzhC
token_accessor qcxkggK00WxgwmxOC9Ht9vpc
token_duration 24h
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
token_meta_username myusername
root user and Run vault token lookup s.wCQedkMmX61EJszE64HqPzhC to check token status and ttl:Key Value
--- -----
accessor qcxkggK00WxgwmxOC9Ht9vpc
creation_time 1576051650
creation_ttl 24h
display_name ldap-myusername
entity_id 1fc1f68d-face-f9f1-468f-36b94e10fb3b
expire_time 2019-12-12T08:07:30.56805754Z
explicit_max_ttl 0s
id s.wCQedkMmX61EJszE64HqPzhC
issue_time 2019-12-11T08:07:30.568070919Z
meta map[username:myusername]
num_uses 0
orphan true
path auth/ldap/login/myusername
policies [default]
**renewable true**
ttl 23h55m5s
type service
As it is obvious the renewable property of the token is true and its type is service, so it can be renewed.
Run vault token renew s.wCQedkMmX61EJszE64HqPzhC to renew the token given above.
When I look up the token again nothing happened to its ttl. Run vault token lookup s.wCQedkMmX61EJszE64HqPzhC:
Key Value
--- -----
accessor qcxkggK00WxgwmxOC9Ht9vpc
creation_time 1576051650
creation_ttl 24h
display_name ldap-myusername
entity_id 1fc1f68d-face-f9f1-468f-36b94e10fb3b
expire_time 2019-12-12T08:07:30.56805754Z
explicit_max_ttl 0s
id s.wCQedkMmX61EJszE64HqPzhC
issue_time 2019-12-11T08:07:30.568070919Z
meta map[username:myusername]
num_uses 0
orphan true
path auth/ldap/login/myusername
policies [default]
renewable true
ttl 23h53m24s
type service
Note: I tried the steps above using API calls and self-renew but the result was same as above.
Expected behavior
My expected behaviour was after running vault token renew s.wCQedkMmX61EJszE64HqPzhC for a LDAP token as root the ttl of the token gets back to creation_ttl vaule.
Environment:
root@ubuntu:~# vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.3.0
Cluster Name vault-cluster-11d62d58
Cluster ID a9704841-7f1c-1986-a880-a2c252f23ed2
HA Enabled true
HA Cluster https://10.1.10.1:8201
HA Mode active
root@ubuntu:~# vault version
Vault v1.3.0
root@ubuntu:~# uname -a
Linux ubuntu 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Vault server configuration file(s):
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "10.1.10.1:8201"
tls_disable = "true"
}
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}
ui = true
api_addr = "http://10.1.10.1:8200"
cluster_addr = "https://10.1.10.1:8201"
UPDATE:
You can use this sample free LDAP server config. to reproduce the situation:
#Test LDAP server
vault write auth/ldap/config \
url="ldap://ldap.forumsys.com:389" \
userdn="uid=tesla,dc=example,dc=com" \
userattr="uid" \
groupattr="cn" \
groupdn="dc=example,dc=com" \
binddn="uid=tesla,dc=example,dc=com" \
bindpass='password' \
starttls=false
login using: vault login -method=ldap username=tesla and password as password and then try to renew the generated token.
The problem was a bug on version 1.3.0 of Vault, I have created an issue for the bug, which leads to a PR for the next version, and the problem got fixed on 1.3.2.