Connection timeout Active Directory

meetdave2611997 · May 29, 2018, 7:38pm

Hello,

I am facing some issue with connection with the active directory authentication Here is my configuration of elasticsearch.yml

    xpack:
    security:
    authc:
    realms:
        native1:
        type: native
        order: 0
        active_directory1:
        type: active_directory
        domain_name: "ad.test.com"
        url: "ldaps://ldap.cloud.test.com:636"
        ssl:
            verification_mode: none
        group_search:
            base_dn: "ou=Groups,ou=Objects,dc=ad,dc=test,dc=com"
        unmapped_groups_as_roles: false

Using this configuration, users are able to authenticate and login into kibana but the problem is elasticsearch constantly throws these errors.

    [2018-05-29T19:31:05,247][WARN ][o.e.x.s.a.l.s.LdapUtils  ] caught exception while trying to follow referral [ldap://ForestDnsZones.ad.test.com/DC=ForestDnsZones,DC=ad,DC=test,DC=com]
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ForestDnsZones.ad.test.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ForestDnsZones.ad.test.com/x.x.x.x:389:  ConnectException(message='Connection timed out (Connection timed out)', trace='socketConnect(PlainSocketImpl.java:native) / doConnect(AbstractPlainSocketImpl.java:350) / connectToAddress(AbstractPlainSocketImpl.java:206) / connect(AbstractPlainSocketImpl.java:188) / connect(SocksSocketImpl.java:392) / connect(Socket.java:589) / connect(SSLSocketImpl.java:673) / run(ConnectThread.java:146)', revision=24201)')
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:870) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at com.unboundid.ldap.sdk.LDAPConnection.getReferralConnection(LDAPConnection.java:4545) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.followReferral(LdapUtils.java:514) ~[x-pack-5.4.1.jar:5.4.1]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.access$300(LdapUtils.java:56) ~[x-pack-5.4.1.jar:5.4.1]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$LdapSearchResultListener.searchResultReceived(LdapUtils.java:446) [x-pack-5.4.1.jar:5.4.1]
        at com.unboundid.ldap.sdk.AsyncSearchHelper.responseReceived(AsyncSearchHelper.java:240) [unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at com.unboundid.ldap.sdk.LDAPConnectionReader.run(LDAPConnectionReader.java:569) [unboundid-ldapsdk-3.2.0.jar:3.2.0]
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ForestDnsZones.ad.test.com/x.x.x.x:389:  ConnectException(message='Co
ting to establish a connection to server ForestDnsZones.ad.test.com/x.x.x.x:389:  ConnectException(message='Connection timed out (Connection timed out)', trace='socketConnect(PlainSocketImpl.java:native) / doConnect(AbstractPlainSocketImpl.java:350) / connectToAddress(AbstractPlainSocketImpl.java:206) / connect(AbstractPlainSocketImpl.java:188) / connect(SocksSocketImpl.java:392) / connect(Socket.java:589) / connect(SSLSocketImpl.java:673) / run(ConnectThread.java:146)', revision=24201)')
        at sun.reflect.GeneratedConstructorAccessor61.newInstance(Unknown Source) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_151]
        at com.unboundid.util.StaticUtils.createIOExceptionWithCause(StaticUtils.java:2524) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:172) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
        ... 9 more
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server ForestDnsZones.ad.test.com/x.x.x.x:389:  ConnectException(message='Connection timed out (Connection timed out)', trace='socketConnect(PlainSocketImpl.java:native) / doConnect(AbstractPlainSocketImpl.java:350) / connectToAddress(AbstractPlainSocketImpl.java:206) / connect(AbstractPlainSocketImpl.java:188) / connect(SocksSocketImpl.java:392) / connect(Socket.java:589) / connect(SSLSocketImpl.java:673) / run(ConnectThread.java:146)', revision=24201)
        at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:240) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:161) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
        ... 9 more
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
        at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_151]
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_151]
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_151]
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_151]
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_151]
        at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_151]
        at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:673) ~[?:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:146) ~[?:?]

Why is elasticsearch trying to connect to port 389? Is any configuration is wrong?

Thanks,
Meet

ikakavas · May 30, 2018, 4:24am

Hi Meet,

As you can see from the error message, Elasticsearch is simply trying to follow referrals to ldap://ForestDnsZones.ad.test.com that AD returns in order to get all user information ( See more abour referrals in AD here )

You can instruct Elasticsearch to not follow these referrals ( especially given that athentication and information retrieval already works for you ) by setting

follow_referrals: false

in your realm configuration.

meetdave2611997 · May 30, 2018, 10:31am

@ikakavas Thanks it worked!

Do you think that the above error can affect the performance for kibana/api calls to elastic? (kibana was timing out/ throwing socket hangup errors for _xpack/authentication endpoint specifically)

ikakavas · May 31, 2018, 11:42am

Yes, as you experienced. Was the behavior improved after you made the change for follow_referrals ?

meetdave2611997 · May 31, 2018, 12:52pm

@ikakavas Yes performance is now much better.

system · June 28, 2018, 12:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.