Authentication against Active Directory (referral error)

drkbg · December 19, 2018, 5:26pm

Hello, I am using following config to connect to Active Directory but I am getting refferal error. Any ideas what is wrong with my configuration?

I am getting following error:

Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=10 (referral), errorMessage='0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'example.com'
', referralURLs={'ldap://example.com/DC=example,DC=com'}))

The configuration that I am using is following::

xpack:
  security:
    authc:
      realms:
        active_directory:
          type: active_directory
          order: 0
          domain_name: example.com
          url: "ldap://1.2.3.4:389"
          files:
            role_mapping: "/usr/share/elasticsearch/config/role_mapping.yml"
          unmapped_groups_as_roles: true
          follow_referrals: false

when I try with real username and password I am getting following error:

Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=10 (referral), errorMessage='0000202B: RefErr: DSID-0310082F, data 0, 1 access points
 ref 1: 'example.com'
', referralURLs={'ldap://example.com/DC=example,DC=com'}))

I tried also with false password than I am getting following error:

Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))

Using ldapsearch is not a problem with the right username/password:

ldapsearch -x -h 10.230.250.14 -p 389 -D "john@example.com" -w 'johnspassword' -b "CN=john,OU=EXAMPLE-TS IDs,OU=EXAMPLEResourceIDs,DC=examplegrp,DC=corp,DC=pri" cn mail sn userPrincipalName sAMAccountName
# extended LDIF
#
# LDAPv3
# base <CN=john,OU=EXAMPLE-TS IDs,OU=EXAMPLEResourceIDs,DC=examplegrp,DC=corp,DC=pri> with scope subtree
# filter: (objectclass=*)
# requesting: cn mail sn userPrincipalName sAMAccountName 
#

# john, EXAMPLE-TS IDs, EXAMPLEResourceIDs, examplegrp.corp.pri
dn: CN=john,OU=EXAMPLE-TS IDs,OU=EXAMPLEResourceIDs,DC=examplegrp,DC=corp,DC=pri
cn: john
sAMAccountName: john
userPrincipalName: john@example.com
mail: john@example.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I tried also with
follow_referals: true
the same error appears

TimV · December 20, 2018, 4:46am

What version of Elasticsearch?

drkbg · December 20, 2018, 2:17pm

Elastic 6.5

system · January 17, 2019, 2:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.