Can't get AD ldap to work

Keep getting this error in the elasticsearch.log.

Authentication to realm ldap failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))

I've verified the account I have in the elasticsearch.yml for access ldap does work in another ldap browser. Also verified the accounts I'm signing into works as well in different applications. I did run the elasticsearch-keystore command to update the password for the bind account.

The cert list is the Issuing CA for the DC being used for ldap. It works perfectly on another server I used to do ldaps.

Below is my elasticsearch.yml

xpack.security.enabled: true
xpack:
security:
authc:
realms:
active_directory:
ldap:
order: 0
domain_name: mydomain.abc
url: "ldaps://dc.mydomain.abc:636"
bind_dn: "CN=ldapAccount,OU=Users,DC=mydomain,DC=abc"
user_search:
base_dn: "DC=mydomain,DC=abc"
filter: "(sAMAccountName={0})"
upn_filter: "(&(objectClass=user)(sAMAccountName={0}))"
group_search:
base_dn: "DC=mydomain,DC=abc"
ssl:
certificate_authorities: ["tls/CA_Cert.cer"]
files:
role_mapping: "role_mappings.yml"
unmapped_groups_as_roles: false
`

Below is my role_mappings.yml.
`
monitoring:

  • "cn=elkadmins,dc=mydomain,dc=abc"
    user:
  • "cn=elkusers,dc=mydomain,dc=abc"
  • "cn=elkadmins,dc=mydomain,dc=abc"

Appreciate any help or clues as to what maybe wrong.

Try to specify the OU in the base_dn for the user search

"OU=Myusers,DC=mydomain,DC=abc"

Thx for the suggestions. I had tried that earlier, but got the same error. I tried it again, and changed both entries in the elasticsearch.yml and the role_mappings.yml and added the OU=Users,DC=mydomain,DC=abc" but still get the same error. :frowning: Been literally bashing my head in all day trying to get it to work with either ldap or ldaps. Such a pain. I have another linux server I'm using for SSO that authenticates through the same ldap server using the same cert just fine.

This is my current setup, i had the same error, and the only fix was the ou; try getting incrementally, first just the user auth, then the groups and role mapping.

xpack:
security:
authc:
  realms:
    native:
      es_native:
        order: 0
    active_directory:
      my_ad:
        order: 1
        domain_name: my.dc
        url: ldap://10.10.1.100:389
        user_search:
           base_dn: "OU=MyUserOU,DC=my,DC=dc"
        bind_dn: elasticservice@my.dc

I try with ldap instead of ad and dn for the account but neither was succesfull, this config was the only one that really works.

Ok should "my_ad" be exactly that? If not assume my AD domain tree is "domain.com".

Not really, is just the name for the realm, when you store the password in the keystore you reference the property with that name.

Cool beans. Well I got it authenticating it seems. I guess most of my problem was I was trying to use just the samaccountname or userprincipalname and didn't realize you had to use domain\user.

But now it does sign in, but the user doesn't have permissions to access anything. I get the screen below.

I tried adding the role mappings setting back with the users I wanted to have monitor and user access, but it doesn't seem to be working. Getting this error in the elasticsearch.log

[ERROR][o.e.x.s.a.e.NativeUsersStore] [node-1] security index is unavailable. short circuiting retrieval of user [domain\admin]
[INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [node-1] The security index is not yet available - no role mappings can be loaded

BTW thanks for the help, baby steps, but I'm getting there :slight_smile:

For the role mapping, you could do it through the UI in Kibana, in our cluster we don't have many users so the roles maps are pretty easy; you have to create a role, then the role mapping using the property of your preferences for the user, it's very flexible so you could use the group or OU mapping to get it to work ; this is an example:

Would I need to disable my security settings first then go to this page to add users, then enable security in elasticsearch.yml? Cause with security enabled and ldap setup, the user I sign in with only gets that one page I sent in the last post. It's not letting me access kibana.

No, just use the elastic built in user to make the set up or other local account, be aware that in your elasticsearch.yml file, you need the realm for native authentication(In my example file, is the native realm with order 0), otherwise the local accounts aren't going to work.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.