Be Careful With 7.11.0 Update If You Use LDAP With Realms

About an hour ago, I tried updating my on prem 7.10.2 dev cluster (RHEL 8, 15 nodes) to 7.11.0.

On the first node I ran yum update on, when I restarted Elasticsearch, it failed. I looked at journalctl and saw errors related to LDAP. Doing some searching led me to the following discussion on Elastic's GitHub: Fix permissions for UnboundID LDAP SDK by jasontedor · Pull Request #68872 · elastic/elasticsearch · GitHub .

I wanted to surface this issue for anyone else in the community who uses LDAP with realms for authentication and is considering an upgrade to 7.11.0. It looks like we need to wait for 7.11.1.

Very true sadly.

The download page says:

We have identified a bug that will affect deployments on ECE, ECK, or any stand-alone deployment with LDAP or Active Directory configured.

Deployments with an LDAP or Active Directory realm for authentication configured and upgraded to 7.11.0, in addition to new 7.11.0 deployments in which you configure an LDAP, or Active Directory realm will see all nodes fail to start. If when starting Elasticsearch you see an error message containing "Could not initialize class com.unboundid.util.Debug" then you are impacted by issue.

As mentioned, we have identified the issue, committed the fix, and are currently working on getting the next version released. In the meantime, do not upgrade to 7.11.0 if you have LDAP or Active Directory configured in your deployment.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.