ElasticSearch ( 5.5.2 ) X-Pack Active Directory Authentication Fails

ramkrishna.cignex · October 30, 2018, 12:04pm

Hi,

I am using Elasticsearch and X-pack version 5.5.2.

I am trying to configure X-Pack with Active directory and I am getting following error.

[2018-10-30T17:11:07,895][WARN ][o.e.x.s.a.AuthenticationService] [local-node] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=81 (server down), errorMessage='The connection to server xx.xx.xx.xx:636 was closed while waiting for a response to a bind request SimpleBindRequest(dn='user@domain.com'): An I/O error occurred while trying to read the response from the server: SocketException(message='Software caused connection abort: recv failed', trace='socketRead0(null:native) / socketRead(null:unknown) / read(null:unknown) / read(null:unknown) / fill(null:unknown) / read(null:unknown) / read(ASN1StreamReader.java:992) / readType(ASN1StreamReader.java:329) / beginSequence(ASN1StreamReader.java:912) / readLDAPResponseFrom(LDAPMessage.java:1146) / run(LDAPConnectionReader.java:251)', revision=24201)'))

Configuration in elasticsearch.yml :

xpack:
  security:
    authc:
      realms:
        active_directory:
          type: active_directory
          order: 0
          domain_name: domain.com
          url: ldap://xx.xx.xx.xx:636
          unmapped_groups_as_roles: true
          follow_referrals: false
          ssl:
            certificate_authorities: [ "./x-pack/cacert.pem" ]

Configuration in role_mapping.yml:

superuser:
  - "cn=UserGroupName,dc=domain,dc=com"
  - "cn=SpecificUserID,dc=domain,dc=com"

I am using cacert.pem file generated by following command:

openssl s_client -showcerts -connect XX.XX.XX.XX:636 </dev/null 2>/dev/null|openssl x509 -outform PEM >cacert.pem

Please let me know what should I fix to make AD authentication work.

Thank You.
Ram.

ikakavas · October 31, 2018, 6:28am

You need to denote that your LDAP server uses SSL in your confguration, so please change

url: ldap://xx.xx.xx.xx:636

to

url: ldaps://xx.xx.xx.xx:636

ramkrishna.cignex · October 31, 2018, 8:37am

@ikakavas

I tried to use ldaps but it end up with following error in log:

[2018-10-31T14:04:20,405][WARN ][o.e.x.s.a.AuthenticationService] [local-node] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server xx.xx.xx.xx:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Hostname verification failed because the expected hostname 'xx.xx.xx.xx' was not found in peer certificate 'subject='CN=ABCD.XYZ.domain.com''.')'))

Please suggest.

ikakavas · October 31, 2018, 8:59am

As explicitly called out by the error, hostname verification fails for your LDAP server's certificate. This is because you use the server's IP address in your ldaps URL and the server's certificate only contain it's FQDN. You can either

use ABCD.XYZ.domain.com instead of the IP address in your
```
 url: ldaps://xx.xx.xx.xx:636
```
or set
```
 ssl:
   verification_mode: certificate
```
so that Elasticsearch doesn't perform hostname validation for your LDAP server's certificate see AD settings for reference

ramkrishna.cignex · October 31, 2018, 1:12pm

Hello @ikakavas,

It was spot on !!

I can log in to Elasticsearch and Kibana using AD now.

Thank you very much.

Regards,
Ram.

system · November 28, 2018, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.