Configuring LDAP with Elasticsearch 6.2.3

Hi there,

I am trying to build infrastructure for elastic. I was able to setup elastic and kibana with x-pack. I am facing issue while configuring ldap, and here is what I have done till now.

Step 1-
used open_ssl to download ldap cert and added it to java cacerts ( elastic is using, in this case its openjdk and path is /bin/java and version is openjdk version "1.8.0_161".

Step 2 - Ran this command to create CA cert.
elasticsearch-6.2.3/bin/x-pack/certgen --dn 'CN=rnd elastic server' --pass --days 3650 --keysize 4096 --out elk_ca/ELK_CA.zip

Step 3 - Unzip this file and placed them in elastic config/certs dir.

Step 4 - configure elasticsearch.yml as follows.

xpack.ssl.key: certs/rnd.key
xpack.ssl.certificate: certs/rnd.crt
xpack.ssl.certificate_authorities: certs/ca.crt
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.ssl.verification_mode: certificate

#------------------------------------X PACK LDAP-------------------------------
xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldaps://ldap.abc.com:636"
          bind_dn: "cn=abc,ou=xyz,ou=xy,o=abc"
          bind_password: xxxxx
          user_search:
            base_dn: "ou=Employees,ou=People,o=abc"
            attribute: cn
          group_search:
            base_dn: "ou=Groups,o=abc"
          files:
            role_mapping: "/opt/app/elasticsearch-6.2.3/config/x-pack/role_mapping.yml"
          unmapped_groups_as_roles: false

Step 5 -
Added my id as superuser in role_mapping.yml file
superuser:

  • "cn=myid,ou=Employees,ou=People,o=abc"

restarted the elastic server.

Now when I am trying to access https://myhostname:9200, it pops up for userid/password and after submitting with credentials, it gives me the following error.

2018-06-29T00:20:37,050][WARN ][o.e.x.s.a.AuthenticationService] [rnd] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldap.abc.com:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldap.abc.com:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:440) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / (LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710) / (LDAPConnection.java:534) / getConnection(SingleServerSet.java:229) / getConnection(ServerSet.java:98) / getConnection(FailoverServerSet.java:545) / createConnection(LDAPConnectionPool.java:1205) / createConnection(LDAPConnectionPool.java:1178) / getConnection(LDAPConnectionPool.java:1706) / doPrivileged(AccessController.java:native) / privilegedConnect(LdapUtils.java:87) / searchForEntry(LdapUtils.java:225) / searchForEntry(LdapUtils.java:177) / findUser(LdapUserSearchSessionFactory.java:241) / getSessionWithPool(LdapUserSearchSessionFactory.java:99) / session(PoolingSessionFactory.java:84) / lambda$doAuthenticate$1(LdapRealm.java:137) / doRun(LdapRealm.java:293) / doRun(ThreadContext.java:672) / run(AbstractRunnable.java:37) / runWorker(ThreadPoolExecutor.java:1149) / run(ThreadPoolExecutor.java:624) / run(Thread.java:748)', revision=24201)')'))

What am I missing here?
Do I need to create separate keystore to add ldap cert in it or where to add ldap cert?

Any help would be appreciated!

Thanks
Devesh

1 Like

Hi @Devesh_Pandey,

Please look at the documentation for more information:
https://www.elastic.co/guide/en/x-pack/6.2/ldap-realm.html#ldap-ssl
Hope this helps.

Regards,
Yogesh Gaikwad

When you configure xpack.ssl.certificate_authorities that takes precedence over the CA certs that exist in your JVM, so the ldap cert you added to your java cacerts isn't used.

Yogesh's link shows how to configure a certificate authority specifically for the LDAP connection.

@TimV thanks a lot it worked.

@Yogesh_Gaikwad Thanks a lot , it worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.