Ldap authentication failure in es and kibana


(Hemanth Gowda) #1

Hi,

I am trying to setup LDAP user authentication.I added the below entries in config file.

xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://vm.sol.st:6888"
bind_dn: "cn=tan,ou=accounts,ou=management,o=ed"
bind_password: test
user_search:
base_dn: "ou=subjects,o=ed"
attribute: "uid"
files:
role_mapping: "role_mapping.yml"
unmapped_groups_as_roles: false

When i try login using kibana/es with the ldap users i am getting the below error.

[o.e.x.s.a.AuthenticationService] [ldap_node] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580', diagnosticMessage='8009030C: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580'))

Can you please let me know what could be the issue.I have set up a ldap client in my machine and i can able to login using the mentioned bind user credentials.


(Ioannis Kakavas) #2

Hi Hemanth,

It looks like you try to authenticate against an Active Directory, use the relevant realm type and set this up according to the documentation


(Hemanth Gowda) #3

Hi,

Thanks for the reply.I will try that.And by the way may I know how can u confirm that I am trying to authenticate against AD?


(Ioannis Kakavas) #4

It was quite obvious from the error message :
errorMessage='8009030C: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580',


(Hemanth Gowda) #5

Hi,

I have used the realm settings for AD.Still getting the same error.

[o.e.x.s.a.AuthenticationService] [ldap_node] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 525, v23f0', diagnosticMessage='80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 525, v23f0'))

Regards,
Hemanth K


(Tim Vernum) #6

An Active Directory error 49 is invalid credentials

Without more context it's hard to tell what the real problem is, but it could be any of:

  • The DN you've put in bind_dn is incorrect (doesn't exist in the directory)
  • The password you've put in bind_password is incorrect
  • The domain you're using in your AD configuration is incorrect.
  • The user name you've entered in the Kibana login box is incorrect.
  • The user name you've entered in the Kibana login box is in an incorrect format.
  • The password you've entered in the Kibana login box is incorrect.

Working through those:

  • You said you can use the bind credentials in an LDAP client. That's good. Please triple-check that the values you entered in your elasticsearch config are an exact match for what you're putting in the client.
  • Check the domain value you're using in your config. If you try to login to an AD realm using a simple username like jsmith, then X-Pack security will use the configured domain name in order to bind as the user being authenticated - that is it will bind as jsmith@your.ad.domain. If the configured domain doesn't match the domain being used for the UPN, then the bind will fail.
  • Triple check the username and password you're entering in Kibana. These need to match something in AD.
  • X-Pack security supports usernames in 3 different formats: raw account-name like jsmith, a user-principal-name like jsmith@your.ad.domain or a NetBIOS (down level) style AdDomain\\jsmith. All of those work - if the realm is configured correctly and the correct values are used for your domain.

If you provide more details from your logs we may be able to help narrow down the possible causes.


(Hemanth Gowda) #7

Thanks for the information.Will check with ldap team if something is wrong in ldap server.

Regards,
Hemanth K


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.