Hi,
Am trying to get the LDAP authentication using X-pack security feature, I had provided LDAP details and generated the cacert.pem using openssl and mapped it in the elasticsearch.yml, below is my elasticsearch.yml security configuration:
I enabled debug mode for x-pack, and could see the below error messages when I try to authenticate:
[2018-05-04T10:27:01,668][DEBUG][o.e.x.s.a.e.ReservedRealm] [node-1] user [CD021544] not found in cache for realm [reserved], proceeding with normal authentication
[2018-05-04T10:27:01,669][DEBUG][o.e.x.s.a.l.LdapRealm ] [node-1] user [CD021544] not found in cache for realm [ldap1], proceeding with normal authentication
[2018-05-04T10:27:03,121][DEBUG][o.e.x.s.a.l.LdapRealm ] [node-1] Exception occurred during authenticate for ldap/ldap1
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ckadkaac01a.ad001.windad.org:1269: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldaps://ckadkaac01a.ad001.windad.org:1269' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:431) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / <init>(LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710) / <init>(LDAPConnection.java:534) / getConnection(SingleServerSet.java:229) / getConnection(ServerSet.java:98) / getConnection(FailoverServerSet.java:545) / createConnection(LDAPConnectionPool.java:1205) / createConnection(LDAPConnectionPool.java:1178) / getConnection(LDAPConnectionPool.java:1706) / doPrivileged(AccessController.java:native) / privilegedConnect(LdapUtils.java:87) / searchForEntry(LdapUtils.java:225) / searchForEntry(LdapUtils.java:177) / findUser(LdapUserSearchSessionFactory.java:241) / getSessionWithPool(LdapUserSearchSessionFactory.java:99) / session(PoolingSessionFactory.java:84) / lambda$doAuthenticate$1(LdapRealm.java:137) / doRun(LdapRealm.java:293) / doRun(ThreadContext.java:672) / run(AbstractRunnable.java:37) / runWorker(ThreadPoolExecutor.java:1142) / run(ThreadPoolExecutor.java:617) / run(Thread.java:745)', revision=24201)')
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:870) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:229) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.ServerSet.getConnection(ServerSet.java:98) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:545) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1205) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_102]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:87) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:225) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:177) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.findUser(LdapUserSearchSessionFactory.java:241) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSessionWithPool(LdapUserSearchSessionFactory.java:99) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:84) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:137) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:293) [x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:672) [elasticsearch-6.2.2.jar:6.2.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.2.2.jar:6.2.2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]
The certificate_authorities option tells elasticsearch which certificates it can trust, by specifying that it can trust the ones that are signed by this certificate authority. For example, It will now trust the certificates that have been signed with the private key that corresponds to this cacert.pem, but if you just generated this CA, this is of little use.
What you need to set in this configuration option is the CA certificate that has signed the certificate that your LDAP server is using for LDAPS on ckadkaac01a.ad001.windad.org and port 1269, or the certificate itself if it is self-signed.
( If the ad references in ad001.windad are for Active Directory, you should really be using our Active Directory realm - you would still need to fix the above issue )
Thanks @ikakavas. I have got the right certificates for the LDAPs and tried, but this time I've got a different error log:
[2018-05-04T12:12:32,085][DEBUG][o.e.x.s.a.l.LdapRealm ] [node-1] Exception occurred during authenticate for active_directory/active_directory
com.unboundid.ldap.sdk.LDAPBindException: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2171) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.doRun(LdapUtils.java:138) ~[?:?]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkThenBind(LdapUtils.java:161) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:258) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithoutPool(ActiveDirectorySessionFactory.java:133) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:86) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:137) ~[x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:293) [x-pack-security-6.2.2.jar:6.2.2]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:672) [elasticsearch-6.2.2.jar:6.2.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.2.2.jar:6.2.2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]
[2018-05-04T12:12:32,097][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 '))
I've tried configuring the binding my userid and password but still the same issue persists. Please let me know. Thanks !
Did you switch to using the active directory realm instead of ldap, as suggested ?
This means that the credentials are wrong. In order to get the whole picture of what might be going wrong (as this can be in a number of places in your config), please do the following.
Change the general loglevel to info as it was before.
This error is a result of the username/password that you are using to login to Elasticsearch/Kibana, not the bind user.
What type of credentials are you using to login?
Thanks for your immediate responses, @ikakavas@TimV.
I have removed bind_dn and password, it started working now, now ELK is able to authenticate with the LDAP credentials. Thanks again.
And also I'd like to know how do i give access only to the dashboard for the users? Could you please help me with roles mapping. Thanks !
OU=users is not a group Distinguished Name and CN=Paul Stephen is not a user Distinguished Name. You can read a little on what Distinguished Names are in i.e. here
Judging by just what you have shared above, the DN for your user could be: cn=Paul Stephen, ou=users, o=services, dc=example, dc=com
Also OU=users is an organizational unit which is the parent under where all your users reside in your organizations directory tree and not an ldap group, so you can't use it like this. You would need to define a group or use an existing one and assign group membership to that group for the users you want to get that role.
Finally,
ES_PATH_CONF/x-pack/role_mapping.yml is the default location for the role mapping file so you don't need to explicitly define it in your config.
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [node-1] Mapping user [UserData{username:ID021232; dn:CN=Paul Stephen,OU=Users,OU=_Central,OU=IN,OU=RA210,DC=ad001,DC=andid,DC=org;
But still it didn't work It worked for a while, having dashbaord tab alone to the user, later I restarted it went back to full dashboard. Am I doing anything wrong? Please let me know. Thanks !
I'm not really sure how it could have worked and then stopped by itself.
If you decided to use the role mapping API (and you should, as @TimV correctly suggested it's much more flexible and easier for what you want to do ), then remove or comment out any lines you had added in the role mapping file.
Assuming all you want to do with your AD users is for them to get the kibana_dashboard_only_user role, you can simplify your mapping as follows:
Thanks so much @ikakavas.
I'll use role mapping API's going forward as suggested by @TimV as it is more flexible and I've commented out the lines in the yml file.
It worked with the POST request you sent. you guys are awesome.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
Thanks again.
It worked for a while, having dashbaord tab alone to the user, later I restarted it went back to full dashboard. Am I doing anything wrong? Please let me know. Thanks !