there is the logs: [warn] [shield.authc.ldap] [node1] authentication failed for user [admin] : failed LDAP authentication foe DN ["cn=admin,dc=company,dc=company"] cause: com.unboundid.ldap.sdk.LDAPException: invalid crentials
i can use bbb to login ES ,but can't use user of aaa group to login ES. anyone can help?
Can you provide more of the logs around that exception including the stacktrace? Also, it appears as though either the bind_dn or bind_password is incorrect; the bind is failing for the user that is supposed to be doing the search. I'm not sure how any user is able to authenticate if that is the only realm you have defined.
there is no more logs for error or warn,what you mean stacktrace log is the indices-access.log? i add the shield.authc: TRACE in logging.yml but nothing happend. the aaa is admin for my LDAPserver,it is correct i am sure. i can use any LDAP user that i mappinged in the role_mapping.yml but the group. that means my companny has 100 people i must to add them all
to the role_mapping.yml,i think that's not a good way.
should i must to import the certificate of my ldap server into the truststore or keystore? i don't do this because we don't need that , our internet just local area network
Did you reslove this issue? At this moment i am facing the exact same issue, I can authenticate for individual user however not for the the group a user belongs to.
I have not done any sort of configuration with respect to securing the communication between shield & ldap server as i am testing things out i am looking to do this later.
Do let me know if because i did not secure the communication that the group information is not found for the user?
Here is my config -
shield:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://192.168.x.xxx:389"
bind_dn: "cn=admin,dc=xxxxxx,dc=com"
bind_password: xxxxx
user_search:
base_dn: "dc=xxxxxx,dc=com"
group_search:
base_dn: "dc=xxxxxx,dc=com"
files:
role_mapping: "/etc/elasticsearch/shield/role_mapping.yml"
unmapped_groups_as_roles: false
Here is my log from trace -
[2016-09-27 13:58:04,856][INFO ][gateway ] [node-1] recovered [26] indices into cluster_state
[2016-09-27 13:58:09,598][INFO ][watcher ] [node-1] starting watch service...
[2016-09-27 13:58:09,746][INFO ][watcher ] [node-1] watch service has started
[2016-09-27 13:58:09,786][INFO ][cluster.routing.allocation] [node-1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[logstash-2016.09.06][1], [logstash-2016.09.06][3]] ...]).
[2016-09-27 13:58:33,666][TRACE][shield.authc.esnative ] [node-1] cannot poll for user changes since security index [.security] does not exist
[2016-09-27 13:58:40,484][DEBUG][shield.authc.ldap ] [node-1] user not found in cache, proceeding with normal authentication
[2016-09-27 13:58:40,500][DEBUG][shield.authc.support ] [node-1] the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1]
[2016-09-27 13:58:40,501][DEBUG][shield.authc.support ] [node-1] the roles [[]], are mapped from the user [ldap] for realm [cn=Yashodhara Mandepu,ou=users,dc=xxxxxx,dc=com/ldap]
[2016-09-27 13:58:40,504][DEBUG][shield.authc.ldap ] [node-1] authenticated user [ymandepu], with roles [[]]
[2016-09-27 13:59:03,666][TRACE][shield.authc.esnative ] [node-1] cannot poll for user changes since security index [.security] does not exist
[2016-09-27 13:59:33,667][TRACE][shield.authc.esnative ] [node-1] cannot poll for user changes since security index [.security] does not exist
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.