Hello everybody 
I'm having a very strange problem while setting up LDAP for elasticsearch.
First of all some information about my environment
Elasticsearch version:
[root@elastic ~]# /usr/share/elasticsearch/bin/elasticsearch -V
Version: 8.15.1, Build: rpm/253e8544a65ad44581194068936f2a5d57c2c051/2024-09-02T22:04:47.310170297Z, JVM: 22.0.1
OS:
[root@elastic ~]# cat /etc/redhat-release
Rocky Linux release 9.4 (Blue Onyx)
Hardening:
CIS Server Level 2
SELinux:
[root@elastic ~]# sestatus
SELinux status: disabled
LDAP-Server:
Free-IPA 4.11.0
elasticsearch.yml settings for LDAP:
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
key: certs/elastic/elastic.key
certificate: certs/elastic/elastic.crt
certificate_authorities: certs/ca/ca.crt
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0
# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0
#----------------------- END SECURITY AUTO CONFIGURATION -------------------------
xpack.security.authc.realms.ldap.ipa:
order: 0
url: "ldap://ipa.mydomain.ch:389"
bind_dn: "uid=bnd_elastic,cn=users,cn=accounts,dc=mydomain,dc=ch"
bind_password: "mypassword"
user_search:
base_dn: "cn=users,cn=accounts,dc=mydomain,dc=ch"
filter: "(uid={0})"
group_search:
base_dn: "cn=groups,cn=accounts,dc=mydomain,dc=ch"
files:
role_mapping: "/etc/elasticsearch/role_mapping.yml"
unmapped_groups_as_roles: false
role_mapping.yml:
superuser:
- "cn=adm_team,cn=groups,cn=accounts,dc=mydomain,dc=ch"
The problem:
When I restart elasticsearch after setting up the mentioned settings for LDAP I always get this error:
[2024-09-18T22:23:59,748][INFO ][o.e.x.s.a.l.LdapUserSearchSessionFactory] [elastic-node-1] Realm [ipa] is in user-search mode - base_dn=[cn=users,cn=accounts,dc=mydomain,dc=ch], search filter=[(uid={0})]
[2024-09-18T22:23:59,750][ERROR][o.e.x.s.a.s.DnRoleMapper ] [elastic-node-1] failed to parse role mappings file [/etc/elasticsearch/role_mapping.yml]. skipping/removing all mappings...
java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/elasticsearch/role_mapping.yml" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:488) ~[?:?]
at java.security.AccessController.checkPermission(AccessController.java:1085) ~[?:?]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:411) ~[?:?]
at java.lang.SecurityManager.checkRead(SecurityManager.java:742) ~[?:?]
at sun.nio.fs.UnixChannelFactory.open(UnixChannelFactory.java:246) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:133) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:146) ~[?:?]
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:259) ~[?:?]
at java.nio.file.Files.newByteChannel(Files.java:379) ~[?:?]
at java.nio.file.Files.newByteChannel(Files.java:431) ~[?:?]
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]
at java.nio.file.Files.newInputStream(Files.java:159) ~[?:?]
at org.elasticsearch.common.settings.Settings$Builder.loadFromPath(Settings.java:1223) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.parseFile(DnRoleMapper.java:117) ~[?:?]
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.parseFileLenient(DnRoleMapper.java:88) ~[?:?]
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.lambda$new$0(DnRoleMapper.java:65) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:319) ~[?:?]
at org.elasticsearch.xpack.security.authc.support.DnRoleMapper.<init>(DnRoleMapper.java:64) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.<init>(LdapRealm.java:80) ~[?:?]
at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$3(InternalRealms.java:152) ~[?:?]
at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:303) ~[?:?]
at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:112) ~[?:?]
at org.elasticsearch.xpack.security.Security.createComponents(Security.java:892) ~[?:?]
at org.elasticsearch.xpack.security.Security.createComponents(Security.java:740) ~[?:?]
at org.elasticsearch.node.NodeConstruction.lambda$construct$13(NodeConstruction.java:868) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.plugins.PluginsService.lambda$flatMap$1(PluginsService.java:253) ~[elasticsearch-8.15.1.jar:?]
at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:288) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:212) ~[?:?]
at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:556) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:546) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:622) ~[?:?]
at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:291) ~[?:?]
at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:631) ~[?:?]
at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:637) ~[?:?]
at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:642) ~[?:?]
at org.elasticsearch.node.NodeConstruction.construct(NodeConstruction.java:868) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.node.NodeConstruction.prepareConstruction(NodeConstruction.java:270) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.node.Node.<init>(Node.java:192) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:242) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:242) ~[elasticsearch-8.15.1.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:76) ~[elasticsearch-8.15.1.jar:?]
To be clear the file is accessible for user elasticsearch with the (IMHO) right permissions:
[root@elastic ~]# ls -ld /etc/elasticsearch/
drwxr-s---. 4 root elasticsearch 4096 Sep 18 22:18 /etc/elasticsearch/
[root@elastic ~]# ls -la /etc/elasticsearch/role_mapping.yml
-rw-rw----. 1 root elasticsearch 552 Sep 18 22:18 /etc/elasticsearch/role_mapping.yml
[root@elastic ~]# su - elasticsearch -s /bin/bash
Creating home directory for elasticsearch.
[elasticsearch@elastic ~]$ cat /etc/elasticsearch/role_mapping.yml
superuser:
- "cn=adm_team,cn=groups,cn=accounts,dc=mydomain,dc=ch"
If I comment out the following lines the elasticsearch service is starting without problems, but obviously I don't have any LDAP mappings in place then. 
# files:
# role_mapping: "/etc/elasticsearch/role_mapping.yml"
I guess there could be some problem with the java security manager. Therefore I tried to add the following line to /usr/share/elasticsearch/modules/x-pack-security/plugin-security.policy:
permission java.io.FilePermission "/etc/elasticsearch/role_mapping.yml", "read";
But this doesn't help in any way 
I also tried to disable the java security manager with the option -Djava.security.manager.disabled=true" in...:
- /etc/elasticsearch/jvm.options
- /usr/lib/systemd/system/elasticsearch.service
- /etc/sysconfig/elasticsearch
...but non of those settings disabled the security manager correctly, there was still the option -Djava.security.manager=allow within the elasticsearch process
What do I oversee?
Is this some kind of a weird bug?
How could I disable the java security manager for elasticsearch temporarly to see if this changes anything?
Any help or hint is kindly appreciated. Thanks in advance for your help and your effort.
