LDAP Authentication Failed


#1

Hi,
Am trying to get the LDAP authentication using X-pack security feature, I had provided LDAP details and generated the cacert.pem using openssl and mapped it in the elasticsearch.yml, below is my elasticsearch.yml security configuration:

xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldaps://ckadkaac01a.ad001.windad.org:1269"
          bind_dn: "cn=ldapuser, ou=users, o=services, dc=example, dc=com"
          bind_password: x-pack-test-password
          user_search:
            base_dn: "dc=example,dc=com"
            attribute: cn
          group_search:
            base_dn: "dc=example,dc=com"
          files:
            role_mapping: "C:/ELK/elasticsearch-6.2.2/elasticsearch-6.2.2/config/x-pack/role_mapping.yml"
          unmapped_groups_as_roles: false
          ssl: 
              certificate_authorities: [ "C:/ELK/elasticsearch-6.2.2/elasticsearch-6.2.2/config/x-pack/cacert.pem" ]

I enabled debug mode for x-pack, and could see the below error messages when I try to authenticate:

[2018-05-04T10:27:01,668][DEBUG][o.e.x.s.a.e.ReservedRealm] [node-1] user [CD021544] not found in cache for realm [reserved], proceeding with normal authentication
[2018-05-04T10:27:01,669][DEBUG][o.e.x.s.a.l.LdapRealm    ] [node-1] user [CD021544] not found in cache for realm [ldap1], proceeding with normal authentication

[2018-05-04T10:27:03,121][DEBUG][o.e.x.s.a.l.LdapRealm    ] [node-1] Exception occurred during authenticate for ldap/ldap1
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ckadkaac01a.ad001.windad.org:1269:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldaps://ckadkaac01a.ad001.windad.org:1269' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:431) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / <init>(LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710) / <init>(LDAPConnection.java:534) / getConnection(SingleServerSet.java:229) / getConnection(ServerSet.java:98) / getConnection(FailoverServerSet.java:545) / createConnection(LDAPConnectionPool.java:1205) / createConnection(LDAPConnectionPool.java:1178) / getConnection(LDAPConnectionPool.java:1706) / doPrivileged(AccessController.java:native) / privilegedConnect(LdapUtils.java:87) / searchForEntry(LdapUtils.java:225) / searchForEntry(LdapUtils.java:177) / findUser(LdapUserSearchSessionFactory.java:241) / getSessionWithPool(LdapUserSearchSessionFactory.java:99) / session(PoolingSessionFactory.java:84) / lambda$doAuthenticate$1(LdapRealm.java:137) / doRun(LdapRealm.java:293) / doRun(ThreadContext.java:672) / run(AbstractRunnable.java:37) / runWorker(ThreadPoolExecutor.java:1142) / run(ThreadPoolExecutor.java:617) / run(Thread.java:745)', revision=24201)')
	at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:870) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:229) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.ServerSet.getConnection(ServerSet.java:98) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:545) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1205) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_102]
	at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:87) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:225) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:177) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.findUser(LdapUserSearchSessionFactory.java:241) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSessionWithPool(LdapUserSearchSessionFactory.java:99) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:84) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:137) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:293) [x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:672) [elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.2.2.jar:6.2.2]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]

Please let me know how to fix this. Thanks !


(Ioannis Kakavas) #2

Hi,

The certificate_authorities option tells elasticsearch which certificates it can trust, by specifying that it can trust the ones that are signed by this certificate authority. For example, It will now trust the certificates that have been signed with the private key that corresponds to this cacert.pem, but if you just generated this CA, this is of little use.
What you need to set in this configuration option is the CA certificate that has signed the certificate that your LDAP server is using for LDAPS on ckadkaac01a.ad001.windad.org and port 1269, or the certificate itself if it is self-signed.

( If the ad references in ad001.windad are for Active Directory, you should really be using our Active Directory realm - you would still need to fix the above issue )


#3

Thanks @ikakavas. I have got the right certificates for the LDAPs and tried, but this time I've got a different error log:

[2018-05-04T12:12:32,085][DEBUG][o.e.x.s.a.l.LdapRealm    ] [node-1] Exception occurred during authenticate for active_directory/active_directory
com.unboundid.ldap.sdk.LDAPBindException: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 
	at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2171) ~[?:?]
	at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.doRun(LdapUtils.java:138) ~[?:?]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkThenBind(LdapUtils.java:161) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:258) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithoutPool(ActiveDirectorySessionFactory.java:133) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:86) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:137) ~[x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:293) [x-pack-security-6.2.2.jar:6.2.2]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:672) [elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.2.2.jar:6.2.2]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]
[2018-05-04T12:12:32,097][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 '))

I've tried configuring the binding my userid and password but still the same issue persists. Please let me know. Thanks !


(Ioannis Kakavas) #4

Did you switch to using the active directory realm instead of ldap, as suggested ?

This means that the credentials are wrong. In order to get the whole picture of what might be going wrong (as this can be in a number of places in your config), please do the following.

  1. Change the general loglevel to info as it was before.

  2. Enable trace log level for specifically:

    curl -uelastic -XPUT 'localhost:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
    {
      "transient": {
        "logger.org.elasticsearch.xpack.security.authc.ldap": "TRACE"
      }
    }
    '
    
  3. Attempt to authenticate:

    curl -k -u CD021544 'http://localhost:9200/_xpack/security/_authenticate?pretty'
    
  4. Check your logs and share the relevant parts


(Tim Vernum) #5

This error is a result of the username/password that you are using to login to Elasticsearch/Kibana, not the bind user.
What type of credentials are you using to login?


#6

Thanks for your immediate responses, @ikakavas @TimV.
I have removed bind_dn and password, it started working now, now ELK is able to authenticate with the LDAP credentials. :slight_smile: Thanks again.

And also I'd like to know how do i give access only to the dashboard for the users? Could you please help me with roles mapping. Thanks !


(Ioannis Kakavas) #7

Take a look at https://www.elastic.co/guide/en/kibana/current/xpack-dashboard-only-mode.html that describes the role you want and https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html#_realm_specific_details that have details about how you can use the role mapping api to map users to roles by their DN or groups.

Let us know if you have any issues with that.


#8

Hi @ikakavas,
Thanks for your support.
I have declared the role_mapping in the .yml as below:

kibana_dashboard_only_user: 
  - "OU=users" 
  - "CN=Paul Stephen"

And also declared the role_mapping file in elasticsearch.yml:

          files:
            role_mapping: "C:/ELK/elasticsearch-6.2.2/elasticsearch-6.2.2/config/x-pack/role_mapping.yml"
          unmapped_groups_as_roles: false   

Logs are as follows:

[2018-05-07T11:31:42,890][DEBUG][o.e.x.s.a.l.LdapRealm    ] [node-1] realm [active_directory] authenticated user [AC85234], with roles [[]]

But still am able to access the other tabs on Kibana, Is there anything wrong with my mappings. Please let me know. Thanks !


(Ioannis Kakavas) #9
kibana_dashboard_only_user: 
  - "OU=users" 
  - "CN=Paul Stephen"

OU=users is not a group Distinguished Name and CN=Paul Stephen is not a user Distinguished Name. You can read a little on what Distinguished Names are in i.e. here

Judging by just what you have shared above, the DN for your user could be:
cn=Paul Stephen, ou=users, o=services, dc=example, dc=com

Also OU=users is an organizational unit which is the parent under where all your users reside in your organizations directory tree and not an ldap group, so you can't use it like this. You would need to define a group or use an existing one and assign group membership to that group for the users you want to get that role.

Finally,

ES_PATH_CONF/x-pack/role_mapping.yml is the default location for the role mapping file so you don't need to explicitly define it in your config.


(Tim Vernum) #10

Is there a particular reason that you want to do mapping in the file rather than through the API?

The role mapping API allows you to do the sorts of things that you are trying to do, that the file based approach cannot.


#11

Hi @ikakavas @TimV

I had put the role mapping with the API as below:

PUT /_xpack/security/role_mapping/dashboard_only
{
  "roles": "kibana_dashboard_only_user",
  "rules": { "field": { "groups" : "CN=Users,CN=Builtin,OU=Users,OU=_Central,OU=IN,OU=RA310,DC=ad001,DC=andid,DC=org" } },
  "enabled": true
}

I've got the DN from the logs as below

[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [node-1] Mapping user [UserData{username:ID021232; dn:CN=Paul Stephen,OU=Users,OU=_Central,OU=IN,OU=RA210,DC=ad001,DC=andid,DC=org;

But still it didn't work :frowning: It worked for a while, having dashbaord tab alone to the user, later I restarted it went back to full dashboard. Am I doing anything wrong? Please let me know. Thanks !


(Ioannis Kakavas) #12

I'm not really sure how it could have worked and then stopped by itself.

If you decided to use the role mapping API (and you should, as @TimV correctly suggested it's much more flexible and easier for what you want to do ), then remove or comment out any lines you had added in the role mapping file.

Assuming all you want to do with your AD users is for them to get the kibana_dashboard_only_user role, you can simplify your mapping as follows:

POST /_xpack/security/role_mapping/dashboard_only
{
  "roles": [ "kibana_dashboard_only_user" ],
  "enabled": true,
  "rules": {
      "field" : { "realm.name" : "active_directory" } 
  }
}

judging by the logs you posted in your last post your realm name is active_directory.

If it still doesn't work, please share a larger portion of the log file around the line you posted last time.


#13

Thanks so much @ikakavas.
I'll use role mapping API's going forward as suggested by @TimV as it is more flexible and I've commented out the lines in the yml file.
It worked with the POST request you sent. :slight_smile: you guys are awesome. :slight_smile:


(system) #14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.