LDAPSearchException: referral limit exceeded

security

(sabad) #1

I have this issue causing the kibana work sporadically.

This issue is happening when the ES is throwing the error.
cause: com.unboundid.ldap.sdk.LDAPSearchException: referral limit exceeded

It recovers after sometime.


(Jay Modi) #2

Are you using the ldap realm or the active directory realm? Can you provide the full exception and your configuration (minus any sensitive data)?


(sabad) #3

I moved the realm from local(file) to AD.
It was working fine with file based.
elasticsearch.yml

shield:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: ops.saba
url: ldap://ops.xaba:389
unmapped_groups_as_roles: true

role_mapping.yml
monitoring:

  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    admin:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    power_user:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    user:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    kibana4:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    kibana4_server:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'

Currently, only kibana4-server is working fine

cause: com.unboundid.ldap.sdk.LDAPSearchException: referral limit exceeded
[2016-06-23 17:52:44,384][WARN ][shield.authc.activedirectory] [n3pv01inflsh01] authentication failed for user [kibana4-server]: unable to authenticate user [kibana4-server] to active directory domain [ops.saba]
cause: com.unboundid.ldap.sdk.LDAPSearchException: referral limit exceeded
[2016-06-23 17:52:48,387][WARN ][shield.authc.activedirectory] [n3pv01inflsh01] authentication failed for user [kibana4-server]: unable to authenticate user [kibana4-server] to active directory domain [ops.saba]
cause: com.unboundid.ldap.sdk.LDAPSearchException: referral limit exceeded


(sabad) #4

It is very sporadic.


(sabad) #5

It works when the status change to green

log [17:46:29.695] [error][status][plugin:elasticsearch] Status changed from red to red - Request Timeout after 1500ms
log [17:46:32.491] [error][status][plugin:elasticsearch] Status changed from red to red - Elasticsearch is still initializing the kibana index.
log [17:46:43.673] [info][status][plugin:elasticsearch] Status changed from red to green - Kibana index ready
log [17:51:13.904] [error][status][plugin:elasticsearch] Status changed from green to red - Request Timeout after 1500ms
log [17:52:56.858] [info][status][plugin:elasticsearch] Status changed from red to green - Kibana index ready


(Jay Modi) #6

Are you in a single domain or a forest with the potential for a lot of referrals?

You may want to try setting follow_referrals: false in your realm settings if you do not need to follow referrals.


(sabad) #7

Thank You Jay, it worked like a charm.


(system) #8