When i try login using kibana/es with the ldap users i am getting the below error.
[o.e.x.s.a.AuthenticationService] [ldap_node] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580', diagnosticMessage='8009030C: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580'))
Can you please let me know what could be the issue.I have set up a ldap client in my machine and i can able to login using the mentioned bind user credentials.
An Active Directory error 49 is invalid credentials
Without more context it's hard to tell what the real problem is, but it could be any of:
The DN you've put in bind_dn is incorrect (doesn't exist in the directory)
The password you've put in bind_password is incorrect
The domain you're using in your AD configuration is incorrect.
The user name you've entered in the Kibana login box is incorrect.
The user name you've entered in the Kibana login box is in an incorrect format.
The password you've entered in the Kibana login box is incorrect.
Working through those:
You said you can use the bind credentials in an LDAP client. That's good. Please triple-check that the values you entered in your elasticsearch config are an exact match for what you're putting in the client.
Check the domain value you're using in your config. If you try to login to an AD realm using a simple username like jsmith, then X-Pack security will use the configured domain name in order to bind as the user being authenticated - that is it will bind as jsmith@your.ad.domain. If the configured domain doesn't match the domain being used for the UPN, then the bind will fail.
Triple check the username and password you're entering in Kibana. These need to match something in AD.
X-Pack security supports usernames in 3 different formats: raw account-name like jsmith, a user-principal-name like jsmith@your.ad.domain or a NetBIOS (down level) style AdDomain\\jsmith. All of those work - if the realm is configured correctly and the correct values are used for your domain.
If you provide more details from your logs we may be able to help narrow down the possible causes.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.