Hi,
We're trying to connect ES to an LDAP, and using AD LDS installed on windows server 2016.
We use ES 5.6.3 with xpack for the same version
We have tried the following configurations in our elasticsearch.yml:
xpack.security.authc:
anonymous:
username: _es_anonymous_user
roles: superuser
authz_exception: true
realms:
active_directory:
type: active_directory
order: 0
url: "ldap://ldap-url:port"
bind_dn: "DOMAIN\\user"
domain_name: DOMAIN.com
bind_password: "<Password>"
group_search:
base_dn: "dc=newadfs,dc=com"
files:
role_mapping: "<path>role_mapping.yml"
However, when we try to login from Kibana (which is sending the proper username\password to ES) we get the following error in ES output, and have no idea what is going over (we got error 49 which indicates wrong user\password, but we can connect to the ldap server using ldapsearch - with the same credentials):
[2017-11-29T17:08:45,130][DEBUG][o.e.x.s.a.l.LdapRealm ] [elastic] user [user1] not found in cache for realm [active_directory], proceeding with normal authentication
[2017-11-29T17:08:45,133][DEBUG][o.e.x.s.a.l.LdapRealm ] [elastic] Exception occurred during authenticate for active_directory/active_directory
com.unboundid.ldap.sdk.LDAPBindException: 8009030C: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 2030, v3839
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1289) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnectionPool.bindAndRevertAuthentication(LDAPConnectionPool.java:1531) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:312) ~[x-pack-5.6.3.jar:5.6.3]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithPool(ActiveDirectorySessionFactory.java:131) ~[x-pack-5.6.3.jar:5.6.3]
at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:101) ~[x-pack-5.6.3.jar:5.6.3]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$0(LdapRealm.java:161) ~[x-pack-5.6.3.jar:5.6.3]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:317) [x-pack-5.6.3.jar:5.6.3]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:638) [elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.6.3.jar:5.6.3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_111]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_111]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]
[2017-11-29T17:08:45,134][WARN ][o.e.x.s.a.AuthenticationService] [elastic] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 2030, v3839', diagnosticMessage='8009030C: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 2030, v3839'))
Any Ideas what can we do next to try and solve this issue?