I also have role mapping file configured like this:
user:
"cn=user1,dc=starling,dc=lan"
"cn=user2,dc=starling,dc=lan"
"cn=user3,dc=starling,dc=lan"
"cn=user4,dc=starling,dc=lan"
But I am not able to authenticate with any of the users, I get this error message in elasticsearch.log
[2017-03-22T15:52:52,218][WARN ][o.e.x.s.a.l.LdapRealm ] [8cLTrtp] authentication failed for user [user2]: invalid DN
cause: com.unboundid.ldap.sdk.LDAPBindException: invalid DN
Please help, I've been on this allday but I have not been able to resolve the problem, I have further deleted all my ACLs on the LDAP server but its still not working.
Thank you, I got a way around it, Please see below the logs, when I tried authenticating with an ldap user "myself2", which I have in the role mapping file too:
[2017-03-22T17:56:43,201][DEBUG][o.e.x.s.a.l.LdapRealm ] [8cLTrtp] authentication failed for user [myself2]
com.unboundid.ldap.sdk.LDAPSearchException: invalid DN
at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2380) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:93) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.findUser(LdapUserSearchSessionFactory.java:203) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSessionWithPool(LdapUserSearchSessionFactory.java:140) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSession(LdapUserSearchSessionFactory.java:133) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory.session(SessionFactory.java:96) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.support.AbstractLdapRealm.doAuthenticate(AbstractLdapRealm.java:57) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:97) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateToken(AuthenticationService.java:316) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:251) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$6(AuthenticationService.java:226) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:234) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:182) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$2(AuthenticationService.java:199) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:211) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:178) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:140) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:95) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.rest.SecurityRestFilter.process(SecurityRestFilter.java:90) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310) [elasticsearch-5.1.2.jar:5.1.2]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:203) [elasticsearch-5.1.2.jar:5.1.2]
at org.elasticsearch.http.HttpServer.dispatchRequest(HttpServer.java:113) [elasticsearch-5.1.2.jar:5.1.2]
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:507) [transport-netty4-5.1.2.jar:5.1.2]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) [transport-netty4-5.1.2.jar:5.1.2]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) [transport-netty4-5.1.2.jar:5.1.2]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: com.unboundid.ldap.sdk.LDAPBindException: invalid DN
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1289) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[?:?]
at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2375) ~[?:?]
... 66 more
[2017-03-22T17:56:43,204][DEBUG][o.e.x.s.a.e.NativeRealm ] [8cLTrtp] user not found in cache, proceeding with normal authentication
[2017-03-22T17:56:43,206][DEBUG][o.e.x.s.a.f.FileRealm ] [8cLTrtp] user not found in cache, proceeding with normal authentication
[2017-03-22T17:56:43,210][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:43,277][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:43,279][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:43,288][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:43,301][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:43,304][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:43,310][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:43,314][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:43,435][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:45,752][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:45,792][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:45,796][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:45,804][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:45,825][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:45,829][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
[2017-03-22T17:56:45,838][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
Based on your stacktrace it looks like you're on a relatively old version of Elasticsearch (perhaps 5.1?)
While it is unlikely to be the cause of your problem, I would encourage you to look at upgrading to 5.2.2 as we have made a number of improvements to the security code in general, and LDAP specifically.
From the error message, it the problem appears to be your bind_dn
Are you sure that's correct - I think those dn= ought to be dc=.
You probably mean for it to be
Thank you for your response, yes we are currently running on 5.1.2, and will consider upgrading but I will like to get LDAP working with our current version. Thanks for pointing the error out, I have made the corrections but I still get the invalid credentials error but the credentials are actually valid and clients can login with those credentials. I tried using the user DN template mode too and I keep getting thesame invalid credentials error. Please see the stack trace below:
[2017-03-23T05:40:55,312][DEBUG][o.e.x.s.a.l.LdapRealm ] [8cLTrtp] authentication failed for user [myself2]
com.unboundid.ldap.sdk.LDAPSearchException: invalid credentials
at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2380) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:93) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.findUser(LdapUserSearchSessionFactory.java:203) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSessionWithPool(LdapUserSearchSessionFactory.java:140) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSession(LdapUserSearchSessionFactory.java:133) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory.session(SessionFactory.java:96) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.ldap.support.AbstractLdapRealm.doAuthenticate(AbstractLdapRealm.java:57) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:97) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateToken(AuthenticationService.java:316) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:251) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$6(AuthenticationService.java:226) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:234) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:182) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$2(AuthenticationService.java:199) ~[x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:211) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:178) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:140) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:95) [x-pack-5.1.2.jar:5.1.2]
at org.elasticsearch.xpack.security.rest.SecurityRestFilter.process(SecurityRestFilter.java:90) [x-pack-5.1.2.jar:5.1.2]
-
-
-
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: com.unboundid.ldap.sdk.LDAPBindException: invalid credentials
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1289) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[?:?]
at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2375) ~[?:?]
... 66 more
Thanks, the bind_password is correct, ssh from the elasticsearch host to the ldap server and other ldap clients works:
[user@ES-server~]$ ssh myself@ldap.starling.lan
myself@ldap.starling.lan's password:
Last login: Thu Mar 23 06:17:06 2017 from 10.197.138.253
[myself@server-ldapandkerb~]$
I have also tried to write the bind_dn in several possible formats but I still get thesame error, I have annonymous access setup on the ldap server too but when I try to connect without the bind_dn, I still get the authentication failed error:
[2017-03-23T06:32:09,320][DEBUG][o.e.x.s.a.l.LdapRealm ] [8cLTrtp] authentication failed for user [esuser]
com.unboundid.ldap.sdk.LDAPSearchException: size limit exceeded
at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3650) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnection.searchForEntry(LDAPConnection.java:4012) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2385) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
Please have you got any ideas of what else could cause this error ?
Thank you; esuser and myself are independent, but I am also able to ssh with esuser user@ES-server~]$ ssh esuser@ldap.starling.lan esuser@ldap.starling.lan's password: [esuser@server-ldapandkerb~]$
Also trying an ldap search with esuser as suggested, returns Invalid credentials error as below: ldapsearch -x -H "ldap://ldap.starling.lan:389" -w "cloud" -D "cn=esuser,dc=starling,dc=lan" -b "dc=starling,dc=lan" "cn=esuser" ldap_bind: Invalid credentials (49)
But a anonymous ldap search is successful: ldapsearch -x -H "ldap://ldap.starling.lan:389" -b "dc=starling,dc=lan"
I am also able to search with the cn Manager's credentials like below: ldapsearch -x -H "ldap://ldap.starling.lan:389" -w "abcdef" -D "cn=Manager,dc=starling,dc=lan" -b "dc=starling,dc=lan"
I tried to modify the bind_dn in the elasticsearch.xml config to Manager and I modified the bind_password too as below: bind_dn: "cn=Manager,dc=starling,dc=lan" bind_password: "abcdef"
but I still get this error in the log when I try to login as user myself which exists in my ldap database and the elasticsearch role mapping file,
[2017-03-23T09:22:57,036][DEBUG][o.e.x.s.a.l.LdapRealm ] [8cLTrtp] authentication failed for user [myself] com.unboundid.ldap.sdk.LDAPSearchException: size limit exceeded at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3650) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.LDAPConnection.searchForEntry(LDAPConnection.java:4012) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2385) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
This is an error from your LDAP server. It indicates that the search found too many results. Either it found more results than the server was configured to allow, or it found more results than the request is willing to accept.
In this case the most likely explanation is that you have more than 1 user with a cn of "myself".
I only created the one myself user and migrated the user /etc/passwd and/etc/group to the LDAP database using the migrate_passwd.pl and migrate_group.pl perl scripts respectively. However, I've been able to resolve it by creating new LDAP users manualy. Thanks once again.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.