Issue with Active Directory User Authentication using X-Pack

Nihar · March 29, 2017, 9:59am

Hi All,

We are using ElasticSearch 5.2.2 and trying to configure Active Directory User Authenticatioon using x-pack
We have configured active directory realm in config.yml file as below

xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: <domain_name>
url: ldaps://<domain_name>:636
unmapped_groups_as_roles: true

We have even mapped the user and roles in the role_mapping.yml

When we try to login to the elasticsearch host using AD user it gives authentication failure below

[2017-03-29T04:33:41,154][WARN ][o.e.x.s.a.a.ActiveDirectoryRealm] [clm-pun-001193.bmc.com] authentication failed for user [Administrator]: An error occurred while attempting to connect to server clmpun1191.local:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'clmpun1191.local:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(null:unknown) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / (LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710)

We are able to login using same AD user elsewhere but not to the elasticsearch host.

Are there any other settings/configurations that we are missing here?

Any pointers how to resolve this issue? Any help is appreciated.

Thanks in Advance.

LeeDr · March 30, 2017, 7:34pm

Hi Nihar,

From your error, I think your problem might be in the communication between your Elasticsearch nodes and your Active Directory server.

From these instructions;
https://www.elastic.co/guide/en/x-pack/5.0/active-directory-realm.html

Can you check this part;
"To protect passwords, communications between Elasticsearch and the Active Directory server should be encrypted using SSL/TLS. Clients and nodes that connect via SSL/TLS to the Active Directory server need to have the Active Directory server’s certificate or the server’s root CA certificate installed in their keystore or truststore. For more information about installing certificates, see Setting up SSL Between Elasticsearch and Active Directory."

Thanks,
Lee

Nihar · April 13, 2017, 5:29am

Thanks Lee.

We tried all the steps even checked the SSL/TLS part but still no luck.
The normal SSL certificate and authentication (https) works fine but still facing some configuration issues with AD/LDAP setups.

Any pointers how we can subscribe to the official support for elasticsearch?

Thanks,
Nihar

LeeDr · April 13, 2017, 12:54pm

Hi Nihar,

I'm sorry to hear that you're still having problems.

If you go here https://www.elastic.co/contact?storm=global-header-en and fill in the form and check the Support box someone should contact you.

Regards,
Lee

system · May 11, 2017, 1:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.