ElasticSearch ( 5.5.2 ) X-Pack Active Directory Authentication Fails

security

(Ram) #1

Hi,

I am using ElasticSearch and X-pack version 5.5.2.

I am trying to configure X-Pack with Active directory and I am getting following error.

[2018-10-30T17:11:07,895][WARN ][o.e.x.s.a.AuthenticationService] [local-node] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=81 (server down), errorMessage='The connection to server xx.xx.xx.xx:636 was closed while waiting for a response to a bind request SimpleBindRequest(dn='user@domain.com'): An I/O error occurred while trying to read the response from the server: SocketException(message='Software caused connection abort: recv failed', trace='socketRead0(null:native) / socketRead(null:unknown) / read(null:unknown) / read(null:unknown) / fill(null:unknown) / read(null:unknown) / read(ASN1StreamReader.java:992) / readType(ASN1StreamReader.java:329) / beginSequence(ASN1StreamReader.java:912) / readLDAPResponseFrom(LDAPMessage.java:1146) / run(LDAPConnectionReader.java:251)', revision=24201)'))

Configuration in elasticsearch.yml :

xpack:
  security:
    authc:
      realms:
        active_directory:
          type: active_directory
          order: 0
          domain_name: domain.com
          url: ldap://xx.xx.xx.xx:636
          unmapped_groups_as_roles: true
          follow_referrals: false
          ssl:
            certificate_authorities: [ "./x-pack/cacert.pem" ]

Configuration in role_mapping.yml:

superuser:
  - "cn=UserGroupName,dc=domain,dc=com"
  - "cn=SpecificUserID,dc=domain,dc=com"

I am using cacert.pem file generated by following command:

openssl s_client -showcerts -connect XX.XX.XX.XX:636 </dev/null 2>/dev/null|openssl x509 -outform PEM >cacert.pem

Please let me know what should I fix to make AD authentication work.

Thank You.
Ram.


(Ioannis Kakavas) #2

You need to denote that your LDAP server uses SSL in your confguration, so please change

url: ldap://xx.xx.xx.xx:636

to

url: ldaps://xx.xx.xx.xx:636

(Ram) #3

@ikakavas

I tried to use ldaps but it end up with following error in log:

[2018-10-31T14:04:20,405][WARN ][o.e.x.s.a.AuthenticationService] [local-node] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server xx.xx.xx.xx:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Hostname verification failed because the expected hostname 'xx.xx.xx.xx' was not found in peer certificate 'subject='CN=ABCD.XYZ.domain.com''.')'))

Please suggest.


(Ioannis Kakavas) #4

As explicitly called out by the error, hostname verification fails for your LDAP server's certificate. This is because you use the server's IP address in your ldaps URL and the server's certificate only contain it's FQDN. You can either

  • use ABCD.XYZ.domain.com instead of the IP address in your

     url: ldaps://xx.xx.xx.xx:636
    
  • or set

     ssl:
       verification_mode: certificate
    

    so that Elasticsearch doesn't perform hostname validation for your LDAP server's certificate see AD settings for reference


(Ram) #5

Hello @ikakavas,

It was spot on !!

I can log in to Elasticsearch and Kibana using AD now.

Thank you very much.

Regards,
Ram.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.