Elasticsearch Active Directory Configuration Errors- User authentication

linfordwoode · December 21, 2020, 6:07pm

Hello,
I have been stuck on this for a couple of days now. I have tried several options from the forum but I still can't get it to work. Used this documentation https://www.elastic.co/guide/en/elasticsearch/reference/current/active-directory-realm.html
Below is my active directory realm config for Elasticsearch. Service account used as bind_dn is already been used by another application to authenticate ldap successfully. Confirmed from security team, there is no firewall block from Elasticsearch server to ldap servers.
Thanks in advance for your help.

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: domain.net
            url: ldaps://ldapserver1@domain.net:389, ldaps://ldapserver2@domain.net:389, ldaps://ldapserver3@domain.net:389, ldaps://ldapserver4@domain.net:389
            bind_dn: serviceaccount@domain.net
            load_balance:
              type: "round_robin"

These are the errors I have been getting.


2020-12-21T12:37:57,760][INFO ][o.e.x.s.a.AuthenticationService] [elasticserver@domain.net] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]

[2020-12-21T12:38:11,631][WARN ][o.e.x.s.a.AuthenticationService] [elasticserver@domain.net] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldapserver@domain.net:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldapserver@domain.net:389' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

[2020-12-21T12:38:11,986][WARN ][o.e.x.s.a.AuthenticationService] [elasticserver@domain.net] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldapserver@domain.net:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldapserver@domain.net:389' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

[2020-12-21T12:38:16,638][WARN ][o.e.x.s.a.AuthenticationService] [elasticserver@domain.net] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldapserver@domain.net:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldapserver@domain.net:389' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

[2020-12-21T12:38:18,457][WARN ][o.e.x.s.a.AuthenticationService] [elasticserver@domain.net] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldapserver@domain.net:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldapserver@domain.net:389' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

[2020-12-21T12:38:29,003][WARN ][o.e.x.s.a.AuthenticationService] [elasticserver@domain.net] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldapserver@domain.net:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldapserver@domain.net:389' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

ylasri · December 21, 2020, 6:13pm

You need to configure TLS between elasticsearch and your LDAP

linfordwoode · December 21, 2020, 7:49pm

I have configured TLS connection and provided a certificate to elasticsearch. Current elasticsearch.yml looks like this. I am getting the same errors as before. I have currently restricted it to one ldap server

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: domain.net
            url: "ldaps://ldapserver1@domain.net:389"
            bind_dn: serviceaccount@domain.net
            load_balance:
              type: "round_robin"
           ssl:
              certificate_authorities: [ "/etc/elasticsearch/servercert/cacert.pem" ]

ylasri · December 21, 2020, 8:09pm

Try this

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: domain.net
            url: ldaps://ad1.foo.bar.local:636, ldaps://ad2.foo.bar.local:636, ldaps://ad3.foo.bar.local:636
            bind_dn: serviceaccount@domain.net
            load_balance:
              type: "round_robin"
           ssl:
              certificate_authorities: [ "/etc/elasticsearch/servercert/cacert.pem" ]
              supported_protocols: ["TLSv1.2", "TLSv1.1", "TLSv1"]

ikakavas · December 22, 2020, 7:16am

See https://www.elastic.co/guide/en/elasticsearch/reference/7.11/configuring-tls.html#tls-active-directory also

ssl:
              certificate_authorities:

Indentation matters in YAML and the ssl section needs to be under the realm, not under the realm type, so in your case

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: domain.net
            url: "ldaps://ldapserver1@domain.net:389"
            bind_dn: serviceaccount@domain.net
            load_balance:
              type: "round_robin"
            ssl:
              certificate_authorities: [ "/etc/elasticsearch/servercert/cacert.pem" ]

linfordwoode · December 22, 2020, 8:51pm

Thanks, I was able to get around the error by letting the Elasticsearch server trust the certificate from the LDAP server. But I am stuck on a different issue now. I can log in successfully with elastic built in user but when authenticating with an ldap user, I get below from Kibana. I am not seeing logs on ElasticSearch so I am not quite sure how to troubleshoot this.

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

system · January 19, 2021, 8:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.