Skip to content

LDAP group names are not lowercased when being deleted #29355

@gnugnug

Description

@gnugnug

Describe the bug
When creating, updating or reading LDAP groups, the group names are converted to lowercase. However this is not true when deleting a group. This leads to a situation where "vault write auth/ldap/MyGroup1" creates a group, but "vault delete auth/ldap/MyGroup1" does not delete it anymore. You have to use "vault delete auth/ldap/mygroup1" instead.

To Reproduce
Steps to reproduce the behavior:

  1. $ vault server -dev
    ==> Vault server configuration:
    Administrative Namespace:
    Api Address: http://127.0.0.1:8200
    Cgo: disabled
    Cluster Address: https://127.0.0.1:8201
    Environment Variables: DBUS_SESSION_BUS_ADDRESS, HOME, HOSTTYPE, LANG, LESSCLOSE, LESSOPEN, LOGNAME, LS_COLORS, NAME, OLDPWD, PATH, PWD, SHELL, SHLVL, TERM, USER, WSLENV, WSL_DISTRO_NAME, _
    Go Version: go1.23.3
    Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", disable_request_limiter: "false", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
    Log Level:
    Mlock: supported: true, enabled: false
    Recovery Mode: false
    Storage: inmem
    Version: Vault v1.18.3, built 2024-12-16T14:00:53Z

  2. $ vault auth enable ldap
    Success! Enabled ldap auth method at: ldap/

  3. $ vault write auth/ldap/groups/Test policies=123
    Success! Data written to: auth/ldap/groups/Test

  4. $ vault read auth/ldap/groups/Test
    Key Value
    policies [123]

  5. $ vault read auth/ldap/groups/test
    Key Value
    policies [123]

  6. $ vault delete auth/ldap/groups/Test
    Success! Data deleted (if it existed) at: auth/ldap/groups/Test

  7. $ vault read auth/ldap/groups/Test
    Key Value
    policies [123]

  8. $ vault read auth/ldap/groups/test
    Key Value
    policies [123]

  9. $ vault delete auth/ldap/groups/test
    Success! Data deleted (if it existed) at: auth/ldap/groups/test

  10. $ vault read auth/ldap/groups/Test
    No value found at auth/ldap/groups/Test

  11. $ vault read auth/ldap/groups/test
    No value found at auth/ldap/groups/test

Expected behavior
I would expect that step 6. above deletes the group, the same way it was created, and that the commands in step 7. an 8. return "No value found".

Metadata

Metadata

Assignees

Labels

auth/ldapreproducedThis issue has been reproduced by a Vault engineer

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions