Getting the below error in es logs while trying to hit the es URL using the CN specified in my settings and password.
Authentication to realm ldap failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1', diagnosticMessage='80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1'))
And if i replace
xpack.security.authc.realms.ldap.user_dn_templates: "CN=XXXX,OU=XX,DC=X"
by
xpack.security.authc.realms.ldap.user_search.base_dn: "DC=X"
I am getting below error,
Authentication to realm ldap2 failed - authenticate failed (Caused by LDAPException(resultCode=1 (operations error), errorMessage='000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1'))
It's hard to be sure exactly what you've done since you've redacted the value, but the template needs to include {0} somewhere in it so that we can substitute in the id of user who is authenticating. If you put a full DN there, then we'll authenticate as that DN, but use that password provided by the user who is logging in to ES.
You LDAP server is configured to require authenticated binds before searching. If you want to use user_search mode then you'll need to provide a bind_dn and password as well so that we can connect to the LDAP server and search for the user.
Can you please explain the part where you have mentioned
the template needs to include {0} somewhere in it so that we can substitute in the id of user who is authenticating.
Did it mean the below: user_dn_templates: - "cn={0}, ou=users, o=marketing, dc=example, dc=com" - "cn={0}, ou=users, o=engineering, dc=example, dc=com"
While using the above and removing user_search mode i am getting the below error:
Authentication to realm ldap failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1', diagnosticMessage='80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1'))
and you try to login as B123 for instance, Elasticsearch will try to bind to your LDAP server as
cn=B123,ou=users, o=marketing, dc=example, dc=com as it will replace {0} with the userid you use while logging in.
So, it means that you need to set your user_dn_templates accordingly so that after replacing the {0} with whatever the user enters on login, the result will be a valid DN in your LDAP. Is that clearer now ?
This error code from Active Directory means "wrong credentials", so the best guess here is that either the DN or the password of that user is wrong. Can you try and bind directly to the AD using the DN and password to verify these are valid ?
Now i included the bind_dn and bind_passoword and tried . I am getting the below error.
Authentication to realm ldap failed - authenticate failed (Caused by LDAPException(resultCode=85 (timeout), errorMessage='The asynchronous operation encountered a client-side timeout after waiting 4999 milliseconds for a response to arrive.'))
Can you please be a little more explicit ? You added whichbind_dn and whichbind_password and where ?
Your server did not reply to the bind request within 5 seconds.
I just noticed that you are using an LDAP realm while your backend server is Active Directory. Please change that to use an Active Directory realm instead.
I added the bind_dn and bind_password from my DN data in elasticsearch.yml along with user_search.base_dn.
I just noticed that you are using an LDAP realm while your backend server is Active Directory. Please change that to use an Active Directory realm instead.
Please take the time to add more information to your message, this will make it easier for people to help you out. What is this DN data ? Can you verify that this DN and this password are correct ( outside Elasticsearch ) . Can you use these to authenticate to your Active Directory ?
We are getting an error saying that these credentials are wrong, so you should first verify that these are correct , before attempting to troubleshoot your Elasticsearch configuration.
You have configured an authentication realm of LDAP type
xpack.security.authc.realms.ldap.type: ldap
but your error message indicates that your LDAP server, is Actually an Active Directory Domain Controller. As such, you should better configure an authentication realm of Active Directory type ( See the link I shared in the previous message )
I have added the below configuration :
xpack.security.authc.realms.ldap.type: ldap
xpack.security.authc.realms.ldap.order: 1
xpack.security.authc.realms.ldap.url: "ldaps://ldap.example.com:636"
xpack.security.authc.realms.ldap.bind_dn: "cn=ldapuser, ou=users, o=services, dc=example, dc=com"
xpack.security.authc.realms.ldap.bind_password: password of user mentioned in cn
xpack.security.authc.realms.ldap.user_search.base_dn: "dc=example,dc=com"
And as you have mentioned:
Your error message indicates that your LDAP server, is Actually an Active Directory Domain Controller. As such, you should better configure an authentication realm of Active Directory type .
I have used an LDAP URL "ldaps://ldap.example.com:636". Then what is the need to configure a Active Directory realm instead.
Please guide me on this. I may not have proper knowledge about the exact difference in using LDAP or active directory as the realm type in settings.
Please read the documentation first . I have shared that link with you above already. It's very inefficient if we need to rewrite this every time a user needs to configure elasticsearch. Please put in some effort to do this or at least read through the docs and well be happy to help with specific issues once you have tried .
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.