Hey guys, hope you're all doing well
I'm facing an extremely strange issue with my LDAP configuration for Shield. This only occurs when I attempt to connect to my LDAP server using SSL (i.e .LDAPS) and it occurs around 70% of the time (with the other 30 or so % working as expected).
Basically what happens is that immediately (i.e. in a few milliseconds) after attempting to authenticate against Elasticsearch (using curl), the following error shows up in the logs and the auth attempt fails:
[2016-05-04 22:02:23,292][WARN ][shield.authc.ldap ] [elasticsearch-client-node] authentication failed for user [fotis]: could not search for LDAP groups for DN [uid=fotis,ou=people,ou=staff,dc=aaa,dc=example,dc=com] cause: com.unboundid.ldap.sdk.LDAPSearchException: time limit exceeded
My configuration is as follows:
shield: authc: realms: file1: order: 0 type: file ldap1: connect_timeout: 120s read_timeout: 120s order: 1 type: ldap url: ldaps://ldap.example.com user_search: base_dn: ou=staff,dc=aaa,dc=example,dc=com pool: health_check: enabled: false group_search: base_dn: ou=staff,dc=aaa,dc=example,dc=com ssl: keystore: path: /etc/elasticsearch/client-node/shield/node01.jks password: abcabc
Any help would be greatly appreciated!
Thanks so much