500 payload error opening ldap config after enabling audit

[telmomurphy]

I have HA vault deployed in kubernetes through helm.
Authentication is served using ldap.
After enabling audit socket i’ve stopped being able to open ldap auth method configuration over the UI, if i disable audit, it starts working again. I was running vault 16.1 and now have upgraded to 17.2 but to no avail. Error below:

Ember Data Request GET /v1/auth/ldap/?help=1 returned a 500 Payload (application/json) [object Object] internal error

To Reproduce
Steps to reproduce the behavior:

1. Enable LDAP auth method
2. Validate ldap config can be accessible over UI
3. Enable audit socket: vault audit enable socket address="fluentd-service.mynamespace.svc.cluster.local:5140" socket_type=udp
4. Open LDAP config again, the 500 error should appear

Expected behavior
Continue to be able to configure LDAP auth over UI without issues.

Environment:
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
vault vault 2 2024-07-23 08:58:40.790685612 +0100 IST deployed vault-0.28.1 1.17.2

• Vault v1.17.2 (2af5655), built 2024-07-05T15:19:12Z
• Server Operating System/Architecture: Kubernetes 1.24

Vault server configuration file(s):

apiVersion: v1
data:
  extraconfig-from-values.hcl: |2-

    disable_mlock = true
    ui = true
    listener "tcp" {
    tls_disable = 0
    address = "[::]:8200"
    cluster_address = "[::]:8201"
    tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
    tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
    tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
    }
    storage "postgresql" {
    connection_url="postgres://myuser:mypass@mypostgresql.domain.com:5432/vault-db?sslmode=require"
    table="vault_kv_store"
    ha_enabled=true
    ha_table="vault_ha_locks"
    }
    service_registration "kubernetes" {}
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: vault
    meta.helm.sh/release-namespace: vault
  creationTimestamp: "2024-07-09T10:13:53Z"
  labels:
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: vault
    helm.sh/chart: vault-0.28.1
  name: vault-config
  namespace: vault
  resourceVersion: "26546202"
  uid: 8b6d2514-29a9-4908-bb25-288507580746

Additional context
Add any other context about the problem here.

[don-stuart]

For what it's worth, I just tracked down something very similar. I found it related to a bad configuration of token_bound_cidrs. I saw the behavior in auth/ldap/config and auth/approle/role/something.

I'm not sure what I was doing wrong, since I couldn't see the bad configuration, but I think it involved using the "token_bound_cidrs=@file" syntax. I was able to fix/bypass it by using
vault write auth/ldap/config token_bound_cidrs="1.1.1.1/1,2.2.2.2/2,..."

I hope this helps.

[telmomurphy]

I've managed to find out the issue, although not 100% sure why it fails i have a good workaround.
in that cluster i use FluentD to ship logs elsewhere and somehow not all audit logs are parsing correctly therefore the path can't be accessed as it cannot write to audit output.
My workaround was to enable a second audit output (also recommended in the documentation). In my case i'm outputting to stdout and this way there is no more parsing issues