LDAP User Authentication fails with invalid DN error

koladoo · March 22, 2017, 3:19pm

Hi all,

I am currently trying to setup LDAP user authentication. I added the configuration below to elasticsearch.yml file:

xpack:
  security:
    audit:
      enabled: true
    authc:
      realms:
        ldap1:
         type: ldap
         order: 0
         url: "ldap://ldap.starling.lan:389"
         bind_dn: "cn=esuser,dn=starling,dn=lan"
         bind_password: "cloud"
         user_search:
           base_dn: "dc=starling,dc=lan"
           attribute: CN
         user_group_attribute: memberOf
         files:
           role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"

        native:
         type: native
         order: 1

        file:
         type: file
         order: 2

I also have role mapping file configured like this:

user:

"cn=user1,dc=starling,dc=lan"
"cn=user2,dc=starling,dc=lan"
"cn=user3,dc=starling,dc=lan"
"cn=user4,dc=starling,dc=lan"

But I am not able to authenticate with any of the users, I get this error message in elasticsearch.log

[2017-03-22T15:52:52,218][WARN ][o.e.x.s.a.l.LdapRealm ] [8cLTrtp] authentication failed for user [user2]: invalid DN
cause: com.unboundid.ldap.sdk.LDAPBindException: invalid DN

Please help, I've been on this allday but I have not been able to resolve the problem, I have further deleted all my ACLs on the LDAP server but its still not working.

Thanks

jaymode · March 22, 2017, 3:41pm

Can you turn up the log level to DEBUG and post the full stacktrace?

koladoo · March 22, 2017, 4:27pm

Thank you for your response, I tried to turn this on, using the cluster settings API with this curl command but it returns empty reply from server

curl --user elastic:changeme -XPUT 'localhost:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
> {
>     "transient" : {
>         "logger.discovery" : "DEBUG"
>     }
> }'
curl: (52) Empty reply from server

koladoo · March 22, 2017, 5:16pm

Thank you, I got a way around it, Please see below the logs, when I tried authenticating with an ldap user "myself2", which I have in the role mapping file too:

[2017-03-22T17:56:43,201][DEBUG][o.e.x.s.a.l.LdapRealm    ] [8cLTrtp] authentication failed for user [myself2]
com.unboundid.ldap.sdk.LDAPSearchException: invalid DN
        at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2380) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:93) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.findUser(LdapUserSearchSessionFactory.java:203) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSessionWithPool(LdapUserSearchSessionFactory.java:140) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSession(LdapUserSearchSessionFactory.java:133) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory.session(SessionFactory.java:96) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.support.AbstractLdapRealm.doAuthenticate(AbstractLdapRealm.java:57) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:97) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateToken(AuthenticationService.java:316) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:251) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$6(AuthenticationService.java:226) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:234) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:182) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$2(AuthenticationService.java:199) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:211) [x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:178) [x-pack-5.1.2.jar:5.1.2]
 at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:140) [x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:95) [x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.rest.SecurityRestFilter.process(SecurityRestFilter.java:90) [x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310) [elasticsearch-5.1.2.jar:5.1.2]
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:203) [elasticsearch-5.1.2.jar:5.1.2]
        at org.elasticsearch.http.HttpServer.dispatchRequest(HttpServer.java:113) [elasticsearch-5.1.2.jar:5.1.2]
        at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:507) [transport-netty4-5.1.2.jar:5.1.2]
        at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) [transport-netty4-5.1.2.jar:5.1.2]
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) [transport-netty4-5.1.2.jar:5.1.2]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-codec-4.1.6.Final.jar:4.1.6.Final]

koladoo · March 22, 2017, 5:19pm

The other half of the log:

 at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
            at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
            at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
    Caused by: com.unboundid.ldap.sdk.LDAPBindException: invalid DN
            at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1289) ~[?:?]
            at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[?:?]
            at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[?:?]
            at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2375) ~[?:?]
            ... 66 more
    [2017-03-22T17:56:43,204][DEBUG][o.e.x.s.a.e.NativeRealm  ] [8cLTrtp] user not found in cache, proceeding with normal authentication
    [2017-03-22T17:56:43,206][DEBUG][o.e.x.s.a.f.FileRealm    ] [8cLTrtp] user not found in cache, proceeding with normal authentication
    [2017-03-22T17:56:43,210][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:43,277][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:43,279][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:43,288][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:43,301][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:43,304][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:43,310][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:43,314][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:43,435][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:45,752][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:45,792][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:45,796][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:45,804][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:45,825][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:45,829][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]
    [2017-03-22T17:56:45,838][DEBUG][o.e.x.s.a.e.ReservedRealm] [8cLTrtp] authenticated user [kibana], with roles [[kibana]]

Thank you.

TimV · March 22, 2017, 11:53pm

Based on your stacktrace it looks like you're on a relatively old version of Elasticsearch (perhaps 5.1?)
While it is unlikely to be the cause of your problem, I would encourage you to look at upgrading to 5.2.2 as we have made a number of improvements to the security code in general, and LDAP specifically.

From the error message, it the problem appears to be your bind_dn
Are you sure that's correct - I think those dn= ought to be dc=.
You probably mean for it to be

 bind_dn: "cn=esuser,dc=starling,dc=lan"

koladoo · March 23, 2017, 4:54am

Thank you for your response, yes we are currently running on 5.1.2, and will consider upgrading but I will like to get LDAP working with our current version. Thanks for pointing the error out, I have made the corrections but I still get the invalid credentials error but the credentials are actually valid and clients can login with those credentials. I tried using the user DN template mode too and I keep getting thesame invalid credentials error. Please see the stack trace below:

[2017-03-23T05:40:55,312][DEBUG][o.e.x.s.a.l.LdapRealm    ] [8cLTrtp] authentication failed for user [myself2]
com.unboundid.ldap.sdk.LDAPSearchException: invalid credentials
        at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2380) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:93) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.findUser(LdapUserSearchSessionFactory.java:203) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSessionWithPool(LdapUserSearchSessionFactory.java:140) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSession(LdapUserSearchSessionFactory.java:133) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory.session(SessionFactory.java:96) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.ldap.support.AbstractLdapRealm.doAuthenticate(AbstractLdapRealm.java:57) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:97) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateToken(AuthenticationService.java:316) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:251) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$6(AuthenticationService.java:226) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:234) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:182) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$2(AuthenticationService.java:199) ~[x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:211) [x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:178) [x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:140) [x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:95) [x-pack-5.1.2.jar:5.1.2]
        at org.elasticsearch.xpack.security.rest.SecurityRestFilter.process(SecurityRestFilter.java:90) [x-pack-5.1.2.jar:5.1.2]
-
-
-
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: com.unboundid.ldap.sdk.LDAPBindException: invalid credentials
        at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1289) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[?:?]
        at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2375) ~[?:?]
        ... 66 more

TimV · March 23, 2017, 4:58am

Based on where that error is occurring, it looks like your bind_password is the problem. Double check that.

Or alternatively your bind_dn is still incorrect (though no longer strictly invalid).

koladoo · March 23, 2017, 5:39am

Thanks, the bind_password is correct, ssh from the elasticsearch host to the ldap server and other ldap clients works:
[user@ES-server~]$ ssh myself@ldap.starling.lan
myself@ldap.starling.lan's password:
Last login: Thu Mar 23 06:17:06 2017 from 10.197.138.253
[myself@server-ldapandkerb~]$

I have also tried to write the bind_dn in several possible formats but I still get thesame error, I have annonymous access setup on the ldap server too but when I try to connect without the bind_dn, I still get the authentication failed error:
[2017-03-23T06:32:09,320][DEBUG][o.e.x.s.a.l.LdapRealm ] [8cLTrtp] authentication failed for user [esuser]
com.unboundid.ldap.sdk.LDAPSearchException: size limit exceeded
at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3650) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.LDAPConnection.searchForEntry(LDAPConnection.java:4012) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2385) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]

Please have you got any ideas of what else could cause this error ?

TimV · March 23, 2017, 5:58am

That test isn't really showing much - you're testing ssh as myself, but your bind_dn is esuser. How are those 2 users related?

Can you verify a pure LDAP connection using the bind DN and password from your config.
Something like:

ldapsearch -x -H "ldap://ldap.starling.lan:389" -w "cloud" -D "cn=esuser,dc=starling,dc=lan" -b "dc=starling,dc=lan" "cn=esuser"

koladoo · March 23, 2017, 8:25am

Thank you; esuser and myself are independent, but I am also able to ssh with esuser
user@ES-server~]$ ssh esuser@ldap.starling.lan
esuser@ldap.starling.lan's password:
[esuser@server-ldapandkerb~]$

Also trying an ldap search with esuser as suggested, returns Invalid credentials error as below:
ldapsearch -x -H "ldap://ldap.starling.lan:389" -w "cloud" -D "cn=esuser,dc=starling,dc=lan" -b "dc=starling,dc=lan" "cn=esuser"
ldap_bind: Invalid credentials (49)

But a anonymous ldap search is successful:
ldapsearch -x -H "ldap://ldap.starling.lan:389" -b "dc=starling,dc=lan"

I am also able to search with the cn Manager's credentials like below:
ldapsearch -x -H "ldap://ldap.starling.lan:389" -w "abcdef" -D "cn=Manager,dc=starling,dc=lan" -b "dc=starling,dc=lan"

I tried to modify the bind_dn in the elasticsearch.xml config to Manager and I modified the bind_password too as below:
bind_dn: "cn=Manager,dc=starling,dc=lan" bind_password: "abcdef"

but I still get this error in the log when I try to login as user myself which exists in my ldap database and the elasticsearch role mapping file,

[2017-03-23T09:22:57,036][DEBUG][o.e.x.s.a.l.LdapRealm ] [8cLTrtp] authentication failed for user [myself] com.unboundid.ldap.sdk.LDAPSearchException: size limit exceeded at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3650) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.LDAPConnection.searchForEntry(LDAPConnection.java:4012) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.AbstractConnectionPool.searchForEntry(AbstractConnectionPool.java:2385) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]

TimV · March 23, 2017, 9:49am

This is an error from your LDAP server. It indicates that the search found too many results. Either it found more results than the server was configured to allow, or it found more results than the request is willing to accept.

In this case the most likely explanation is that you have more than 1 user with a cn of "myself".

How many results do you get when you run

ldapsearch -x -H "ldap://ldap.starling.lan:389" -b "dc=starling,dc=lan" "cn=myself"

koladoo · March 23, 2017, 10:15am

Thanks, please see the search result for myself

[cloud-user@kola-server-ldapandkerberos-environment-kerbldap-server-6e4c8 ~]$ ldapsearch -x -H "ldap://ldap.starling.lan:389" -b "dc=starling,dc=lan" "cn=myself"
# extended LDIF
#

# numResponses: 3
# numEntries: 2

I only created the one myself user and migrated the user /etc/passwd and/etc/group to the LDAP database using the migrate_passwd.pl and migrate_group.pl perl scripts respectively. However, I've been able to resolve it by creating new LDAP users manualy. Thanks once again.

system · April 20, 2017, 10:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to authenticate with LDAP/AD Elasticsearch elastic-stack-security	2	2844	July 6, 2017
LDAP Integration not working as expected Elasticsearch elastic-stack-security	4	259	August 21, 2023
Authentication to realm ldap1 failed - authenticate failed Elasticsearch elastic-stack-security	4	1455	May 21, 2021
LDAP Integration Not Working Elasticsearch elastic-stack-security	7	452	August 22, 2023
Can't get AD ldap to work Elasticsearch elastic-stack-security	10	2119	October 19, 2020

LDAP User Authentication fails with invalid DN error

Related Topics