Hi there,
I am trying to build infrastructure for elastic. I was able to setup elastic and kibana with x-pack. I am facing issue while configuring ldap, and here is what I have done till now.
Step 1-
used open_ssl to download ldap cert and added it to java cacerts ( elastic is using, in this case its openjdk and path is /bin/java and version is openjdk version "1.8.0_161".
Step 2 - Ran this command to create CA cert.
elasticsearch-6.2.3/bin/x-pack/certgen --dn 'CN=rnd elastic server' --pass --days 3650 --keysize 4096 --out elk_ca/ELK_CA.zip
Step 3 - Unzip this file and placed them in elastic config/certs dir.
Step 4 - configure elasticsearch.yml as follows.
xpack.ssl.key: certs/rnd.key
xpack.ssl.certificate: certs/rnd.crt
xpack.ssl.certificate_authorities: certs/ca.crt
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.ssl.verification_mode: certificate
#------------------------------------X PACK LDAP-------------------------------
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldaps://ldap.abc.com:636"
bind_dn: "cn=abc,ou=xyz,ou=xy,o=abc"
bind_password: xxxxx
user_search:
base_dn: "ou=Employees,ou=People,o=abc"
attribute: cn
group_search:
base_dn: "ou=Groups,o=abc"
files:
role_mapping: "/opt/app/elasticsearch-6.2.3/config/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false
Step 5 -
Added my id as superuser in role_mapping.yml file
superuser:
- "cn=myid,ou=Employees,ou=People,o=abc"
restarted the elastic server.
Now when I am trying to access https://myhostname:9200, it pops up for userid/password and after submitting with credentials, it gives me the following error.
2018-06-29T00:20:37,050][WARN ][o.e.x.s.a.AuthenticationService] [rnd] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldap.abc.com:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldap.abc.com:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:440) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / (LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710) / (LDAPConnection.java:534) / getConnection(SingleServerSet.java:229) / getConnection(ServerSet.java:98) / getConnection(FailoverServerSet.java:545) / createConnection(LDAPConnectionPool.java:1205) / createConnection(LDAPConnectionPool.java:1178) / getConnection(LDAPConnectionPool.java:1706) / doPrivileged(AccessController.java:native) / privilegedConnect(LdapUtils.java:87) / searchForEntry(LdapUtils.java:225) / searchForEntry(LdapUtils.java:177) / findUser(LdapUserSearchSessionFactory.java:241) / getSessionWithPool(LdapUserSearchSessionFactory.java:99) / session(PoolingSessionFactory.java:84) / lambda$doAuthenticate$1(LdapRealm.java:137) / doRun(LdapRealm.java:293) / doRun(ThreadContext.java:672) / run(AbstractRunnable.java:37) / runWorker(ThreadPoolExecutor.java:1149) / run(ThreadPoolExecutor.java:624) / run(Thread.java:748)', revision=24201)')'))
What am I missing here?
Do I need to create separate keystore to add ldap cert in it or where to add ldap cert?
Any help would be appreciated!
Thanks
Devesh