我有一个由Consul群集支持并与LDAP服务器集成的Vault服务器,它可以与LDAP服务器正常工作,并且一切正常,但是唯一的事情是我无法续订这些登录名生成的令牌。
要复制
重现该行为的步骤:
vault login -method=ldap username=myusername -renewable=true并按以下方式获取令牌:Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.wCQedkMmX61EJszE64HqPzhC
token_accessor qcxkggK00WxgwmxOC9Ht9vpc
token_duration 24h
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
token_meta_username myusername
root用户身份登录并运行vault token lookup s.wCQedkMmX61EJszE64HqPzhC以检查令牌状态和ttl:Key Value
--- -----
accessor qcxkggK00WxgwmxOC9Ht9vpc
creation_time 1576051650
creation_ttl 24h
display_name ldap-myusername
entity_id 1fc1f68d-face-f9f1-468f-36b94e10fb3b
expire_time 2019-12-12T08:07:30.56805754Z
explicit_max_ttl 0s
id s.wCQedkMmX61EJszE64HqPzhC
issue_time 2019-12-11T08:07:30.568070919Z
meta map[username:myusername]
num_uses 0
orphan true
path auth/ldap/login/myusername
policies [default]
**renewable true**
ttl 23h55m5s
type service
很明显,令牌的renewable属性为true,其type为service,因此可以续签。
运行vault token renew s.wCQedkMmX61EJszE64HqPzhC续订上面给出的令牌。
当我再次查询令牌时,其ttl没有任何反应。运行vault token lookup s.wCQedkMmX61EJszE64HqPzhC:
Key Value
--- -----
accessor qcxkggK00WxgwmxOC9Ht9vpc
creation_time 1576051650
creation_ttl 24h
display_name ldap-myusername
entity_id 1fc1f68d-face-f9f1-468f-36b94e10fb3b
expire_time 2019-12-12T08:07:30.56805754Z
explicit_max_ttl 0s
id s.wCQedkMmX61EJszE64HqPzhC
issue_time 2019-12-11T08:07:30.568070919Z
meta map[username:myusername]
num_uses 0
orphan true
path auth/ldap/login/myusername
policies [default]
renewable true
ttl 23h53m24s
type service
注意:我使用API调用和自我更新尝试了上述步骤,但结果与上面相同。
预期的行为
我的预期行为是在为LDAP令牌运行vault token renew s.wCQedkMmX61EJszE64HqPzhC后root的{{1}}返回到ttl值。
环境:
creation_ttlroot@ubuntu:~# vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.3.0
Cluster Name vault-cluster-11d62d58
Cluster ID a9704841-7f1c-1986-a880-a2c252f23ed2
HA Enabled true
HA Cluster https://10.1.10.1:8201
HA Mode active
root@ubuntu:~# vault version
Vault v1.3.0
Vault服务器配置文件:
root@ubuntu:~# uname -a
Linux ubuntu 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
更新:
您可以使用此示例免费LDAP服务器配置。重现这种情况:
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "10.1.10.1:8201"
tls_disable = "true"
}
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}
ui = true
api_addr = "http://10.1.10.1:8200"
cluster_addr = "https://10.1.10.1:8201"
使用#Test LDAP server
vault write auth/ldap/config \
url="ldap://ldap.forumsys.com:389" \
userdn="uid=tesla,dc=example,dc=com" \
userattr="uid" \
groupattr="cn" \
groupdn="dc=example,dc=com" \
binddn="uid=tesla,dc=example,dc=com" \
bindpass='password' \
starttls=false
和vault login -method=ldap username=tesla作为密码登录,然后尝试续订生成的令牌。