LDAP connection to elastic search

We are using Elasticsearch 6.6.1 and configuring an Active Directory realm.
in elasticsearch.yml, we have following entries:
xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: ldap.deu.adt.accenture.com
bind_dn: A02957DIRNCLM_REPT@accenture.com

After that added bind password by below command :
bin/elasticsearch-keystore add xpack.security.authc.realms.active_directory.my_ad.secure_bind_password

we made enteries in role_mapping.yml as below :
power_user:

• "cn=A02957DIRNCLM_REPT,cn=Users,dc=accenture,dc=com"

After starting elasticsearch getting logs attached in image :

MicrosoftTeams-image (1)1328×545 35.4 KB

Kindly help with this.

Thanks,
Tanvi

Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable, and please don't post unformatted code as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

Hi,

In elasticserach.yml, we have following content related to active directory:
xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: ds.dev.accenture.com
url: ldaps://amrdc1711.ds.dev.accenture.com:389
bind_dn: adt_ldap@ds.dev.accenture.com

Then we set bind_dn password. Below is the content which we get after keystore password list:
[ads.tgundalwar@vw526474 bin]$ ./elasticsearch-keystore list
bootstrap.password
keystore.seed
xpack.security.authc.realms.active_directory.secure_bind_password
xpack.security.http.ssl.keystore.secure_password
xpack.security.http.ssl.truststore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

After firing below ldapsearch we are able to retrieve the appropriate data from group almadmindev :
ldapsearch -x -D "adt_ldap@ds.dev.accenture.com" -W -p 389 -h amrdc1711.ds.dev.accenture.com -b "CN=almadmindev,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com" -s sub "(objectclass=*)"

But facing below issue after trying to connect :

[2019-12-24T04:10:34,198][WARN ][o.e.x.s.a.AuthenticationService] [WMDjAWI] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server amrdc1711.ds.dev.accenture.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))
[2019-12-24T04:34:03,824][DEBUG][o.e.x.s.a.l.s.LdapUtils ] [WMDjAWI] LDAP bind [SimpleBindRequest(dn='adt_ldap@ds.dev.accenture.com')] failed for [LDAPConnectionPool(serverSet=FailoverServerSet(serverSets={SingleServerSet(server:389=amrdc1711.ds.dev.accenture.com, includesAuthentication=false, includesPostConnectProcessing=false)}), maxConnections=20)] - [LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server amrdc1711.ds.dev.accenture.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))')]
[2019-12-24T04:34:03,825][DEBUG][o.e.x.s.a.l.LdapRealm ] [WMDjAWI] Exception occurred during authenticate for active_directory/active_directory
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server amrdc1711.ds.dev.accenture.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:870) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:307) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:653) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1285) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1258) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1792) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.bindAndRevertAuthentication(LDAPConnectionPool.java:1615) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.lambda$doRun$0(LdapUtils.java:136) ~[x-pack-security-6.6.1.jar:6.6.1]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:75) ~[x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.doRun(LdapUtils.java:136) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkAndRun(LdapUtils.java:101) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkThenBindAndRevert(LdapUtils.java:152) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:285) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithPool(ActiveDirectorySessionFactory.java:116) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:101) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:129) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:312) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:759) [elasticsearch-6.6.1.jar:6.6.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.6.1.jar:6.6.1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812')
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:178) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
... 26 more
Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812
at com.unboundid.util.ssl.HostNameSSLSocketVerifier.verifySSLSocket(HostNameSSLSocketVerifier.java:146) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:166) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
... 26 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:558) ~[?:?]
at com.unboundid.util.ssl.HostNameSSLSocketVerifier.verifySSLSocket(HostNameSSLSocketVerifier.java:113) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:166) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
... 26 more
[2019-12-24T04:34:03,828][WARN ][o.e.x.s.a.AuthenticationService] [WMDjAWI] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server amrdc1711.ds.dev.accenture.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

Hi,

In elasticserach.yml, we have following content related to active directory:
xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: ds.dev.accenture.com
url: ldaps://amrdc1711.ds.dev.accenture.com:389
bind_dn: adt_ldap@ds.dev.accenture.com

Then we set bind_dn password. Below is the content which we get after keystore password list:
[ads.tgundalwar@vw526474 bin]$ ./elasticsearch-keystore list
bootstrap.password
keystore.seed
xpack.security.authc.realms.active_directory.secure_bind_password
xpack.security.http.ssl.keystore.secure_password
xpack.security.http.ssl.truststore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

After firing below ldapsearch we are able to retrieve the appropriate data from group almadmindev :
ldapsearch -x -D "adt_ldap@ds.dev.accenture.com" -W -p 389 -h amrdc1711.ds.dev.accenture.com -b "CN=almadmindev,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com" -s sub "(objectclass=*)"

But facing below issue after trying to connect :

[2019-12-24T04:10:34,198][WARN ][o.e.x.s.a.AuthenticationService] [WMDjAWI] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server amrdc1711.ds.dev.accenture.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))
[2019-12-24T04:34:03,824][DEBUG][o.e.x.s.a.l.s.LdapUtils ] [WMDjAWI] LDAP bind [SimpleBindRequest(dn='adt_ldap@ds.dev.accenture.com')] failed for [LDAPConnectionPool(serverSet=FailoverServerSet(serverSets={SingleServerSet(server:389=amrdc1711.ds.dev.accenture.com, includesAuthentication=false, includesPostConnectProcessing=false)}), maxConnections=20)] - [LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server amrdc1711.ds.dev.accenture.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))')]
[2019-12-24T04:34:03,825][DEBUG][o.e.x.s.a.l.LdapRealm ] [WMDjAWI] Exception occurred during authenticate for active_directory/active_directory
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server amrdc1711.ds.dev.accenture.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:870) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:307) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:653) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1285) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1258) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1792) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.bindAndRevertAuthentication(LDAPConnectionPool.java:1615) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.lambda$doRun$0(LdapUtils.java:136) ~[x-pack-security-6.6.1.jar:6.6.1]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:75) ~[x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.doRun(LdapUtils.java:136) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkAndRun(LdapUtils.java:101) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkThenBindAndRevert(LdapUtils.java:152) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:285) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithPool(ActiveDirectorySessionFactory.java:116) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:101) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:129) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:312) [x-pack-security-6.6.1.jar:6.6.1]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:759) [elasticsearch-6.6.1.jar:6.6.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.6.1.jar:6.6.1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812')
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:178) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
... 26 more
Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812
at com.unboundid.util.ssl.HostNameSSLSocketVerifier.verifySSLSocket(HostNameSSLSocketVerifier.java:146) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:166) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
... 26 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:558) ~[?:?]
at com.unboundid.util.ssl.HostNameSSLSocketVerifier.verifySSLSocket(HostNameSSLSocketVerifier.java:113) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:166) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
... 26 more
[2019-12-24T04:34:03,828][WARN ][o.e.x.s.a.AuthenticationService] [WMDjAWI] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server amrdc1711.ds.dev.accenture.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'amrdc1711.ds.dev.accenture.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.