Hey guys, hope you're all doing well
I'm facing an extremely strange issue with my LDAP configuration for Shield. This only occurs when I attempt to connect to my LDAP server using SSL (i.e .LDAPS) and it occurs around 70% of the time (with the other 30 or so % working as expected).
Basically what happens is that immediately (i.e. in a few milliseconds) after attempting to authenticate against Elasticsearch (using curl), the following error shows up in the logs and the auth attempt fails:
[2016-05-04 22:02:23,292][WARN ][shield.authc.ldap ] [elasticsearch-client-node] authentication failed for user [fotis]: could not search for LDAP groups for DN [uid=fotis,ou=people,ou=staff,dc=aaa,dc=example,dc=com]
cause: com.unboundid.ldap.sdk.LDAPSearchException: time limit exceeded
My configuration is as follows:
shield:
authc:
realms:
file1:
order: 0
type: file
ldap1:
connect_timeout: 120s
read_timeout: 120s
order: 1
type: ldap
url: ldaps://ldap.example.com
user_search:
base_dn: ou=staff,dc=aaa,dc=example,dc=com
pool:
health_check:
enabled: false
group_search:
base_dn: ou=staff,dc=aaa,dc=example,dc=com
ssl:
keystore:
path: /etc/elasticsearch/client-node/shield/node01.jks
password: abcabc
Any help would be greatly appreciated!
Thanks so much
Fotis