Merge pull request #394 from hashicorp/repo-sync

hashibot-web · web-flow · commit ad0f23963f3f · 2025-09-08T14:48:19.000-05:00
Repo sync
diff --git a/content/vault/global/partials/important-changes/summary-tables/1_19.mdx b/content/vault/global/partials/important-changes/summary-tables/1_19.mdx
@@ -41,3 +41,4 @@ Found  | Fixed  | Workaround | Edition    | Issue
 1.19.0 | 1.19.1 | Upgrade    | All        | [Vault log file missing subsystem logs](/vault/docs/v1.19.x/updates/important-changes#missing-logs)
 1.19.1 | 1.19.4 | **Yes**    | All        | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.19.x/updates/important-changes#azure-vmss)
 1.18.4 | No     | **Yes**    | All        | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.19.x/updates/important-changes#snowflake-keypair-refresh)
+1.19.0 | No     | No         | All        | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.19.x/updates/important-changes#local-auth-known-issue)
diff --git a/content/vault/global/partials/important-changes/summary-tables/1_20.mdx b/content/vault/global/partials/important-changes/summary-tables/1_20.mdx
@@ -29,3 +29,4 @@ Found  | Fixed  | Workaround | Edition    | Issue
 1.20.0 | 1.20.1 | **Yes**    | All        | [GUI navigation error for KV v2 secret paths containing underscores](/vault/docs/v1.20.x/updates/important-changes#ui-kvv2-underscore-secrets)
 1.18.4 | No     | **Yes**    | All        | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-refresh)
 1.20.0 | 1.20.1 | **Yes**    | All        | [Duplicate LDAP password rotations on standby node check-in](/vault/docs/v1.20.x/updates/important-changes#ldap-checkin)
+1.19.0 | No     | No         | All        | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.20.x/updates/important-changes#local-auth-known-issue)
diff --git a/content/vault/v1.19.x/content/docs/updates/important-changes.mdx b/content/vault/v1.19.x/content/docs/updates/important-changes.mdx
@@ -467,3 +467,34 @@ due to improper credential refreshes and stale connections in the connection poo
 When two or more concurrent operations occur, Vault tries to reuse an idle
 connection from the pool and the request fails due to session timeout in the
 Snowflake database.
+
+### Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag ((#local-auth-known-issue))
+
+| Change | Affected version | Fixed version |
+| :--- | :--- | :--- |
+| Known issue | 1.19.0 | None |
+
+Vault incorrectly forwards write operations targeting a local authentication
+mounts on a performance replication secondary to the primary cluster for
+processing. Forwarding the request prevents independent configuration of local
+mounts on secondary clusters for the following authentication methods:
+
+- Azure
+- GCP
+- AWS
+- LDAP
+
+Incorrect forwarding leads to two distinct failure modes:
+
+1. If a local auth mount with the same path exists on the primary, Vault
+   incorrectly applies the write operation to the primary node mount.
+
+1. If the auth mount path does not exist on the primary, the secondary cluster
+   panics with a `nil pointer dereference` error and the Vault node crashes.
+
+
+#### Recommendation
+
+Do not attempt to configure local auth mounts on performance replication
+secondaries.
+
diff --git a/content/vault/v1.20.x/content/docs/updates/important-changes.mdx b/content/vault/v1.20.x/content/docs/updates/important-changes.mdx
@@ -348,7 +348,37 @@ then performs a second password update.
 While users still receive the latest password, the secondary update may lead to
 unexpected LDAP activity and cause confusion interpreting audit logs.
 
-### Recommendation
+#### Recommendation
 
 Send check-in requests directly to the active node of the primary cluster to
 prevent duplicate password rotations on the LDAP server.
+
+### Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag ((#local-auth-known-issue))
+
+| Change | Affected version | Fixed version |
+| :--- | :--- | :--- |
+| Known issue | 1.20.0+ | None |
+
+Vault incorrectly forwards write operations targeting a local authentication
+mounts on a performance replication secondary to the primary cluster for
+processing. Forwarding the request prevents independent configuration of local
+mounts on secondary clusters for the following authentication methods:
+
+- Azure
+- GCP
+- AWS
+- LDA
+
+Incorrect forwarding leads to two distinct failure modes:
+
+1. If a local auth mount with the same path exists on the primary, Vault
+   incorrectly applies the write operation to the primary node mount.
+
+1. If the auth mount path does not exist on the primary, the secondary cluster
+   panics with a `nil pointer dereference` error and the Vault node crashes.
+
+#### Recommendation
+
+Do not attempt to configure local auth mounts on performance replication
+secondaries.
+
