From f18801693b6c04bb7aa471a18ebb84edd117af6c Mon Sep 17 00:00:00 2001
From: Michael Blaum <96261585+hashiblaum@users.noreply.github.com>
Date: Tue, 7 Jan 2025 16:51:15 -0500
Subject: [PATCH] Vault 27392 log ldap warning - remove from warning from
 response (#29134)

* log ldap warnings instead of returning them to end user

* add cl

* code review

* Update changelog/29134.txt

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

* Update changelog/29134.txt

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

* fix test

---------

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
---
 builtin/credential/ldap/backend.go      | 2 --
 builtin/credential/ldap/backend_test.go | 4 ++--
 changelog/29134.txt                     | 3 +++
 3 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 changelog/29134.txt

diff --git a/builtin/credential/ldap/backend.go b/builtin/credential/ldap/backend.go
index 6993eb06fc..9bdb6f5673 100644
--- a/builtin/credential/ldap/backend.go
+++ b/builtin/credential/ldap/backend.go
@@ -121,14 +121,12 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 		if b.Logger().IsDebug() {
 			b.Logger().Debug(errString)
 		}
-		ldapResponse.AddWarning(errString)
 	}
 
 	for _, warning := range c.Warnings {
 		if b.Logger().IsDebug() {
 			b.Logger().Debug(string(warning))
 		}
-		ldapResponse.AddWarning(string(warning))
 	}
 
 	var allGroups []string
diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go
index c791cb4cf7..c1b84c82a9 100644
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -1183,8 +1183,8 @@ func testAccStepLoginNoGroupDN(t *testing.T, user string, pass string) logicalte
 
 		// Verifies a search without defined GroupDN returns a warning rather than failing
 		Check: func(resp *logical.Response) error {
-			if len(resp.Warnings) != 1 {
-				return fmt.Errorf("expected a warning due to no group dn, got: %#v", resp.Warnings)
+			if len(resp.Warnings) != 0 {
+				return fmt.Errorf("expected a no warnings, got: %#v", resp.Warnings)
 			}
 
 			return logicaltest.TestCheckAuth([]string{"bar", "default"})(resp)
diff --git a/changelog/29134.txt b/changelog/29134.txt
new file mode 100644
index 0000000000..8fd4ca62e0
--- /dev/null
+++ b/changelog/29134.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/ldap: No longer return authentication warnings to client.
+```