Hi, Community.
Here is elasticsearch.yml:
shield.authc.realms.esusers.type: esusers shield.authc.realms.esusers.order: 0 shield.authc.realms.esusers.enabled: true
shield.authc.realms.active_directory1.type: active_directory shield.authc.realms.active_directory1.order: 1 shield.authc.realms.active_directory1.domain_name: ad_hostname1 shield.authc.realms.active_directory1.url: ldaps://ad_hostname1:636 shield.authc.realms.active_directory1.enabled: true shield.authc.realms.active_directory1.hostname_verification: false
shield.authc.realms.active_directory2.type: active_directory shield.authc.realms.active_directory2.order: 2 shield.authc.realms.active_directory2.domain_name: ad_hostname2 shield.authc.realms.active_directory2.url: ldaps://ad_hostname2:636 shield.authc.realms.active_directory2.enabled: true shield.authc.realms.active_directory2.hostname_verification: false
shield.ssl.keystore.path: /elasticsearch/config/shield/node01.jks shield.ssl.keystore.password: 123abc shield.ssl.keystore.key_password: 123abc
Here is role_mapping.yml:
`user:
- "cn=elastic,ou=Service,ou=users,ou=xxxx,dc=yyyy,dc=zzzz,dc=vvvv"`
Here is roles.yml:
user: indices: 'logstash*': privileges: read
When i'm trying to authorize in ES (when checking cluster availability for example) I'm getting error as follows:
[2016-01-06 04:46:51,361][WARN ][shield.authc.activedirectory] [elastic_host1] authentication failed for user [elastic]: unable to authenticate user [elastic] to active directory domain [ad_hostname1] cause: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772 [2016-01-06 04:46:51,374][WARN ][shield.authc.activedirectory] [elastic_host1] authentication failed for user [elastic]: unable to authenticate user [elastic] to active directory domain [ad_hostname2] cause: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
Keystore was created as per https://www.elastic.co/guide/en/shield/current/active-directory.html#active-directory-ssl
Any thoughts why unable to authenticate user?