How to validate ldap authenticaion on elasticsearch

Nikhil_Pillai · September 16, 2019, 8:44am

How do i validate if my ldap configuration on elasticsearch is proper or not.

xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldap://ldapauth.example.com:389"
          bind_dn: "ldapuser@example.com"
          user_search:
            base_dn: "dc=example,dc=com"
            filter: "(cn={0})"
          group_search:
            base_dn: "dc=example,dc=com"
          files:
            role_mapping: "role_mapping.yml"
          unmapped_groups_as_roles: false

ldapsearch -h ldapauth.example.com:389 -x -s sub -D "ldapuser@example.com" -W -b "dc=example,dc=com"
The above command I am getting the output

ldapsearch -h ldapauth.example.com:389 -x -s sub -D "dn=ldapuser,dc=example,dc=com" -W -b "dc=example,dc=com"
ldap_bind: Invalid credentials (49)

On DEBUG I am not getting any output when I try to use authenticate_api but getting following output on TRACE logs

[2019-09-16T14:02:23,218][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])
[2019-09-16T14:02:23,268][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])
[2019-09-16T14:02:23,363][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP referred elsewhere SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => [ldap://example.COM/CN=Schema,CN=Configuration,DC=example,DC=COM]
[2019-09-16T14:02:23,482][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])

ikakavas · September 16, 2019, 2:31pm

This is unrelated to Elasticsearch. You seem to have the wrong password for your Bind user (dn=ldapuser,dc=example,dc=com ) user. If you don't have the correct credentials for tit this is never going to work,

Without you having the credentials, there is no reason to keep troubleshooting your Elasticserach configuration. Once you figure out what the credentials for the bind_dn user should be, some more questions:

Did you set secure_bind_password in the elasticearch keystore, as we describe in the documentation ?
Is this an Active Directory ? If so , why don't you use our Active Directory realm ?
How are you attempting to authenticate in Elasticsearch or Kibana , what are you passing as a username ? Is that username the CN of one of your users in LDAP as your configuration implies? (CN={0})

system · October 14, 2019, 2:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.