Ldap resultCode=89 Simple bind operations are not allowed to contain a bind DN without a password

logger · September 10, 2019, 2:50pm

Hi there,

I am trying to add an ldap Connection to the ECE Cluster. But it always throws a warning.

[2019-09-10T14:31:26,948][WARN ][org.elasticsearch.xpack.security.authc.AuthenticationService] [instance-0000000048] Authentication to realm xxx-ldap-xxx failed - authenticate failed (Caused by LDAPException(resultCode=89 (parameter error), diagnosticMessage='Simple bind operations are not allowed to contain a bind DN without a password.', ldapSDKVersion=4.0.8, revision=28812))

September 10th 2019, 15:55:54.217[2019-09-10T14:55:54,040][WARN ][org.elasticsearch.xpack.security.authc.support.DnRoleMapper] [instance-0000000046] Role mapping file [/app/config/role_mapping.yml] for realm [xxx-ldap-xxx] does not exist. Role mapping will be skipped.

I am using ECE 2.3.1.

anonymized data:
Bind DN and password:
CN=user,OU=group,OU=group,DC=example,DC=com

Base DN for Users:
DC=example,DC=com
Scope: Sub-tree
Filter: (sAMAccountName={0})

Base DN for Groups:
OU=group,OU=group,DC=example,DC=com
Scope: Sub-tree

Role Mapping platform admin:
CN=groupname,OU=group,OU=group,DC=example,DC=com

ldapsearch -x -D "CN=user,OU=group,OU=group,DC=example,DC=com "\
           -W -H ldap://ldap.example.com -b "DC=example,DC=com"\
           -s sub '(sAMAccountName=myuser)'

This command is working fine from the cmd. But the Cloud UI does not want our configuration.

Did I miss something?

Thanks in advance

logger · September 11, 2019, 5:41am

I dont know why but it is working after I restartet the security deployment itself.

Before that I have rebootet the whole host system and that did not work.

Could there be a bug that by saving the configuration of ldap the security cluster will be recreated and all data will be transfered. Maybe the new settings won´t be set until a Restart of the nodes.

Sounds wrong to me but I have no other Explanation.

Daniel_Battaglia · September 11, 2019, 1:59pm

Hi Malte. Are you adding LDAP to your own cluster, or to log in to ECE itself (using Authentication Providers)? If you mean the latter, I believe this might be due to a bug in the way our ECE keystore management implementation works. Under the hood the LDAP Authentication Providers UI stores passwords in the Keystore via the ECE "metadata" and the rest of the configuration in a regular ECE plan, which causes a potential race condition. We are aware of the issue and looking to have it fixed, hopefully for 2.4 but if not then some time after.

logger · September 12, 2019, 9:43am

Yes it is in ECE itself.

For now a simple restart of the security cluster is working.

Thanks
Malte

system · September 26, 2019, 9:43am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
LDAP connection to elastic search Elasticsearch elastic-stack-security	4	646	January 21, 2020
Deny LDAP users without role mapping Elasticsearch elastic-stack-security	2	983	August 31, 2018
ES with shield LDAP can't use LDAP group but can login with LDAP user Elasticsearch elastic-stack-security	7	1808	July 6, 2017
LDAP User Authentication fails with invalid DN error Elasticsearch	13	3854	April 20, 2017
Baremetal cloud-on-k8s instance how to add LDAP bind password Elasticsearch elastic-stack-security	3	491	October 10, 2019

Ldap resultCode=89 Simple bind operations are not allowed to contain a bind DN without a password

Related topics