Can't login in kibana on ECK with ldap

Hello,

We are trying to setup ldap authentication on our elasticsearch infra.
Are are using ECK (elastic on kubernetes)

I think I did a valid configuration, I don't find any error in the logs..
I even found this in the logs :

{"type": "server", "timestamp": "2021-08-13T10:34:49,126Z", "level": "INFO", "component": "o.e.x.s.a.l.LdapUserSearchSessionFactory", "cluster.name": "elasticsearch", "node.name": "elasticsearch-es-elasticsearch-1", "message": "Realm [ldap1] is in user-search mode - base_dn=[*****], search filter=[(cn={0})]" }

But when I try to login with my domain account in kibana, I just receive a

401 [security_exception]: unable to authenticate user [****] for REST request [/_security/_authenticate]

(for information the users created directly into kibana can authenticate without any problem)

I already set these cluster setting :

PUT _cluster/settings
{
  "transient" : {
      "logger.org.elasticsearch.xpack.security.authc.ldap" : "TRACE",
      "logger.org.elasticsearch.xpack.security.authz" : "TRACE"
  }
 }

I searched the logs and I don't see any line interesting containing the word

  • ldap
  • error
  • warn
  • AuthenticationService

Here is the yaml that configures ldap :

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: elasticsearch
spec:
  version: 7.13.1
  secureSettings:
  - secretName: elasticsearch-ldap-credentials
    entries:
    - key: xpack.security.authc.realms.ldap.ldap1.secure_bind_password
  nodeSets:
  - name: elasticsearch
    count: 2
    config:
      node.store.allow_mmap: false
      path.repo: /snapshots/eck
      http.cors.enabled: true
      http.cors.allow-origin: "*"
      xpack.monitoring.collection.enabled: true 
      xpack.security.authc:
        anonymous:
          roles: 
          - ****
          authz_exception: true 
        realms:
          ldap:
            ldap1:
              order: 0
              url: "ldap://****:389"
              bind_dn: "CN=****, OU=****, DC=****, DC=****"
              user_search:
                base_dn: "OU=****, DC=****, DC=****"
                filter: "(cn={0})"
              group_search:
                base_dn: "OU=****, OU=****, DC=****, DC=****"
              files:
                role_mapping: "role_mapping.yml"
              unmapped_groups_as_roles: false
    podTemplate:
      metadata: 
          labels: 
            stack-monitoring.elastic.co/type: es 
          annotations: 
            co.elastic.logs/enabled: "true"
      spec:
        containers:
        - name: elasticsearch 
          volumeMounts:
          - name: role-mapping
            mountPath: /usr/share/elasticsearch/config/role_mapping.yml
            subPath: role_mapping.yml
          - name: eck-snapshots
            mountPath: /snapshots/eck
          env:
        volumes:
        - name: role-mapping
          configMap:
            name: role-mapping
        - name: eck-snapshots
          nfs:
            server: ****
            path: ****
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 5Gi
        storageClassName: eck-nfs

Here is the content of role_mapping.yml (I kept it very simple for the moment)

# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names

#roleA:   this is an elasticsearch role
#  - groupA-DN  this is a group distinguished name
#  - groupB-DN
#  - user1-DN   this is the full user distinguished name

#power_user:
#  - "cn=admins,dc=example,dc=com"
#user:
#  - "cn=users,dc=example,dc=com"
#  - "cn=admins,dc=example,dc=com"
#  - "cn=John Doe,cn=other users,dc=example,dc=com"


User:
 - "OU=****, DC=***, DC=***"

Any idea will be much appreciate :stuck_out_tongue:

I moved this to the Elastic Stack: Elasticsearch forum. The Elastic Security forum is for the Elastic security product (Endpoint Protection, SIEM, Threat Hunting, XDR).

What license are you using ? LDAP is a paid feature, so to use it on ECK you will need the Enterprise license type.

If you are on a Basic (free) license, you should see a message like this in your logs:

Authentication failed using realms [reserved, default_file,default_native].
Realms [ldap1] were skipped because they are not permitted on the current license
1 Like

Hello we paid for the subscription, here is the status :

{
	"eck_license_level": "enterprise",
	"enterprise_resource_units": "1",
	"max_enterprise_resource_units": "1",
	"timestamp": " * ",
	"total_managed_memory": "*GB"
}

I think this is going to be easier if you raise a case with support.

I can try and help you here, but if you go through support then you can provide you full log files without worrying about confidentiality issues. It will be much easier to diagnose this if we can see all your information quickly.

If you want to solve this here, then I'll need to see messages from your logs - please post any messages from the AuthenticationService.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.