Authentication to realm ldap1 failed - authenticate failed

Patr123 · April 21, 2021, 9:57pm

Hello All,
I am trying to configure the LDAP realm in my elasticsearch using the document mentioned in the elastic site and having some issue. I am getting invalid user name and password message on kibana GUI.
My Ldap settings in elasticsearch.yml files are:

xpack:
  security:
    authc:
      realms:
        ldap:
          ldap1:
            metadata: cn
            order: 0
            url: "ldap://1.2.3.4:389"
            bind_dn: "CN=serviceaccountES,OU=Service,OU=Accounts,DC=ad,DC=ad1,DC=com"
            user_search:
              base_dn: "OU=Employees,OU=Users,DC=ad,DC=ad1,DC=com"
              filter: "(cn={0})"
            group_search:
              base_dn: "OU=Groups,DC=ad,DC=ad1,DC=com"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"
            unmapped_groups_as_roles: false

My role_mapping file looks like:

cat /etc/elasticsearch/role_mapping.yml
# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names

#roleA:   this is an elasticsearch role
#  - groupA-DN  this is a group distinguished name
#  - groupB-DN
#  - user1-DN   this is the full user distinguished name

superuser:
 - "cn=elasticsearch_admin,ou=groups,dc=ad,dc=ad1,dc=com"
#user:
#  - "cn=users,dc=example,dc=com"
#  - "cn=admins,dc=example,dc=com"

My elasticsearch.log file gives the following error:

[2021-04-21T20:55:39,695][WARN ][o.e.x.s.a.AuthenticationService] [ELKServer01] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=32 (no such object), errorMessage='0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
        'DC=ad,DC=ad1,DC=com'
', matchedDN='DC=ad,DC=ad1,DC=com', ldapSDKVersion=4.0.8, revision=28812))

I am not able to find anything related to the error message I am getting. Can someone please help me out on this?

Thank you.

ikakavas · April 22, 2021, 5:12am

Judging by the error, one of

              base_dn: "OU=Employees,OU=Users,DC=ad,DC=ad1,DC=com"

              base_dn: "OU=Groups,DC=ad,DC=ad1,DC=com"

are wrong. Do these organizational units exist in your LDAP server ?

Also, it looks like you are connecting to an Active Directory, you should better use our Active Directory realm instead of the LDAP realm, unless you have a very specific reason not to.

Patr123 · April 22, 2021, 12:29pm

Hello ikakavas,
Yes, these OU does exist in my LDAP server. I double checked and its all there. Yes, this is an active directory and I tried using the AD realm but it was giving me a different error. Let me try again and tell you the exact error I got with it.

Patr123 · April 23, 2021, 2:53pm

I was able to configure the ldap realm actually. It was always working. I was using sAMAccountName to login instead of CN. Once I changed that my ldap config started working.
Thank you.

system · May 21, 2021, 2:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.