How to validate ldap authenticaion on elasticsearch

How do i validate if my ldap configuration on elasticsearch is proper or not.

xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldap://ldapauth.example.com:389"
          bind_dn: "ldapuser@example.com"
          user_search:
            base_dn: "dc=example,dc=com"
            filter: "(cn={0})"
          group_search:
            base_dn: "dc=example,dc=com"
          files:
            role_mapping: "role_mapping.yml"
          unmapped_groups_as_roles: false

ldapsearch -h ldapauth.example.com:389 -x -s sub -D "ldapuser@example.com" -W -b "dc=example,dc=com"
The above command I am getting the output

ldapsearch -h ldapauth.example.com:389 -x -s sub -D "dn=ldapuser,dc=example,dc=com" -W -b "dc=example,dc=com"
ldap_bind: Invalid credentials (49)

On DEBUG I am not getting any output when I try to use authenticate_api but getting following output on TRACE logs

[2019-09-16T14:02:23,218][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])
[2019-09-16T14:02:23,268][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])
[2019-09-16T14:02:23,363][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP referred elsewhere SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => [ldap://example.COM/CN=Schema,CN=Configuration,DC=example,DC=COM]
[2019-09-16T14:02:23,482][TRACE][o.e.x.s.a.l.s.LdapUtils  ] [coordinator-only] LDAP Search SearchRequest(baseDN='dc=example,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(cn=npc0010072)', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])

This is unrelated to Elasticsearch. You seem to have the wrong password for your Bind user (dn=ldapuser,dc=example,dc=com ) user. If you don't have the correct credentials for tit this is never going to work,

Without you having the credentials, there is no reason to keep troubleshooting your Elasticserach configuration. Once you figure out what the credentials for the bind_dn user should be, some more questions:

  • Did you set secure_bind_password in the elasticearch keystore, as we describe in the documentation ?
  • Is this an Active Directory ? If so , why don't you use our Active Directory realm ?
  • How are you attempting to authenticate in Elasticsearch or Kibana , what are you passing as a username ? Is that username the CN of one of your users in LDAP as your configuration implies? (CN={0})

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.