LDAP Authentication - throws BASIC REALM 401 error


(Aj Vignesh) #1

Hi Team

I have set the below configuration in elasticsearch.yml for LDAP authentication. Even though there is no basic realm in config, Error returned is from basic security as below.

CODE

security:
authc:
realms:
ldap1:
type: ldap
url: "ldap://**.389"
bind_dn: "CN=
,OU=Service,OU=Users,OU=USUWD"
bind_password: ********
user_search:
base_dn: "DC=rd,DC=net"

Error

{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "missing authentication token for REST request [/_cat/nodes?v]",
"header": {
"WWW-Authenticate": "Basic realm="security" charset="UTF-8""
}
}
],
"type": "security_exception",
"reason": "missing authentication token for REST request [/_cat/nodes?v]",
"header": {
"WWW-Authenticate": "Basic realm="security" charset="UTF-8""
}
},
"status": 401
}

How do we make hit LDAP realm instead of default basic realm in this case.


(Ioannis Kakavas) #2

Hi,
It looks like you are missing the

attribute: <ldap_attribute_here>

in your configuration but I'm not sure if you just left it out.

Regarding the situation at hand , the error is

missing authentication token for REST request

This seems to suggest that you are not passing the user (and password) parameters in your request.

Assuming you are trying to hit /_cat/nodes?v try with

curl -XGET -u <your_user> 'http://localhost:9200/_cat/nodes?v' and you will be prompted for the ldap password of the that user .

As stated in the documentation the value of the attribute: setting above will affect which attribute <your_user> will be matched against in your LDAP ( cn, uid, etc )


(Aj Vignesh) #3

Hi

From the xdap documentation, we didn't find any attribute that is mandatory. If we need to provide can you kindly provide us the sample input.

We are actually using the mentioned curl command to hit the elastic search.
Problem is if we send default username, password i.e elastic and changeme, it works fine.
But when we try to send ldap based username and password it throws the mentioned error.

Below is the elastic search log :

[authentication_failed] origin_address=[127.0.0.1], principal=[username], uri=[/_cat/nodes?v]

Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 '))


(Ioannis Kakavas) #4

The default value for the attribute is uid and if you want to change that then you should use the user_search.filter as stated in the documentation, instead of user_search.attribute (which I mistakenly suggested above) since it is deprecated.

I will not be able to help you much further if I don't have a view of how your user objects are stored in your LDAP directory. Can you share an example of a user located under DC=rd,DC=net so that I can guide you to change your realm settings ?


(Aj Vignesh) #5

Hi ikakavas

After setting the attribute, authentication works as expected.
Thanks for your help.


(Ioannis Kakavas) #6

That's great to hear but please note that user_search.attribute is deprecated so it will be removed in future versions. In order to future proof your configuration, please made this rather simple change :

Assuming that the attribute is cn (replace it with the one you use - if not ) , change

user_search.attribute: cn

to

user_search.filter: (cn={0})


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.