How to validate ldap authenticaion on elasticsearch

Nikhil_Pillai · September 16, 2019, 8:44am

How do i validate if my ldap configuration on elasticsearch is proper or not.

xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldap://ldapauth.example.com:389"
          bind_dn: "ldapuser@example.com"
          user_search:
            base_dn: "dc=example,dc=com"
            filter: "(cn={0})"
          group_search:
            base_dn: "dc=example,dc=com"
          files:
            role_mapping: "role_mapping.yml"
          unmapped_groups_as_roles: false

ldapsearch -h ldapauth.example.com:389 -x -s sub -D "ldapuser@example.com" -W -b "dc=example,dc=com"
The above command I am getting the output

ldapsearch -h ldapauth.example.com:389 -x -s sub -D "dn=ldapuser,dc=example,dc=com" -W -b "dc=example,dc=com"
ldap_bind: Invalid credentials (49)

On DEBUG I am not getting any output when I try to use authenticate_api but getting following output on TRACE logs

[2019-09-16T14:02:23,218][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])
[2019-09-16T14:02:23,268][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])
[2019-09-16T14:02:23,363][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP referred elsewhere SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => [ldap://example.COM/CN=Schema,CN=Configuration,DC=example,DC=COM]
[2019-09-16T14:02:23,482][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])

ikakavas · September 16, 2019, 2:31pm

This is unrelated to Elasticsearch. You seem to have the wrong password for your Bind user (dn=ldapuser,dc=example,dc=com ) user. If you don't have the correct credentials for tit this is never going to work,

Without you having the credentials, there is no reason to keep troubleshooting your Elasticserach configuration. Once you figure out what the credentials for the bind_dn user should be, some more questions:

Did you set secure_bind_password in the elasticearch keystore, as we describe in the documentation ?
Is this an Active Directory ? If so , why don't you use our Active Directory realm ?
How are you attempting to authenticate in Elasticsearch or Kibana , what are you passing as a username ? Is that username the CN of one of your users in LDAP as your configuration implies? (CN={0})

system · October 14, 2019, 2:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
LDAP User Authentication fails with invalid DN error Elasticsearch	13	3854	April 20, 2017
LDAP Settings Elastic Stack 7.8.0 released Elasticsearch elastic-stack-security	1	364	August 10, 2020
Ldap Authentication in elasticsearch and kibana Elasticsearch elastic-stack-security	10	9583	January 3, 2020
LDAP Integration not working as expected Elasticsearch elastic-stack-security	4	259	August 21, 2023
LDAP inappropriate authentication Elasticsearch	21	5044	July 3, 2018

How to validate ldap authenticaion on elasticsearch

Related topics