Authentication to realm ldap failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))
I've verified the account I have in the elasticsearch.yml for access ldap does work in another ldap browser. Also verified the accounts I'm signing into works as well in different applications. I did run the elasticsearch-keystore command to update the password for the bind account.
The cert list is the Issuing CA for the DC being used for ldap. It works perfectly on another server I used to do ldaps.
Thx for the suggestions. I had tried that earlier, but got the same error. I tried it again, and changed both entries in the elasticsearch.yml and the role_mappings.yml and added the OU=Users,DC=mydomain,DC=abc" but still get the same error. Been literally bashing my head in all day trying to get it to work with either ldap or ldaps. Such a pain. I have another linux server I'm using for SSO that authenticates through the same ldap server using the same cert just fine.
This is my current setup, i had the same error, and the only fix was the ou; try getting incrementally, first just the user auth, then the groups and role mapping.
Cool beans. Well I got it authenticating it seems. I guess most of my problem was I was trying to use just the samaccountname or userprincipalname and didn't realize you had to use domain\user.
But now it does sign in, but the user doesn't have permissions to access anything. I get the screen below.
I tried adding the role mappings setting back with the users I wanted to have monitor and user access, but it doesn't seem to be working. Getting this error in the elasticsearch.log
[ERROR][o.e.x.s.a.e.NativeUsersStore] [node-1] security index is unavailable. short circuiting retrieval of user [domain\admin]
[INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [node-1] The security index is not yet available - no role mappings can be loaded
BTW thanks for the help, baby steps, but I'm getting there
For the role mapping, you could do it through the UI in Kibana, in our cluster we don't have many users so the roles maps are pretty easy; you have to create a role, then the role mapping using the property of your preferences for the user, it's very flexible so you could use the group or OU mapping to get it to work ; this is an example:
Would I need to disable my security settings first then go to this page to add users, then enable security in elasticsearch.yml? Cause with security enabled and ldap setup, the user I sign in with only gets that one page I sent in the last post. It's not letting me access kibana.
No, just use the elastic built in user to make the set up or other local account, be aware that in your elasticsearch.yml file, you need the realm for native authentication(In my example file, is the native realm with order 0), otherwise the local accounts aren't going to work.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
Been literally bashing my head in all day trying to get it to work with either ldap or ldaps. Such a pain. I have another linux server I'm using for SSO that authenticates through the same ldap server using the same cert just fine.
