LDAPSearchException: referral limit exceeded

sabad · June 23, 2016, 9:26pm

I have this issue causing the kibana work sporadically.

This issue is happening when the ES is throwing the error.
cause: com.unboundid.ldap.sdk.LDAPSearchException: referral limit exceeded

It recovers after sometime.

jaymode · June 23, 2016, 9:41pm

Are you using the ldap realm or the active directory realm? Can you provide the full exception and your configuration (minus any sensitive data)?

sabad · June 23, 2016, 9:55pm

I moved the realm from local(file) to AD.
It was working fine with file based.
elasticsearch.yml

shield:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: ops.saba
url: ldap://ops.xaba:389
unmapped_groups_as_roles: true

role_mapping.yml
monitoring:

'cn=logstash,cn=Users,dc=ops,dc=saba'
'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
'cn=dala,cn=Users,dc=ops,dc=saba'
admin:
'cn=logstash,cn=Users,dc=ops,dc=saba'
'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
'cn=dala,cn=Users,dc=ops,dc=saba'
power_user:
'cn=logstash,cn=Users,dc=ops,dc=saba'
'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
'cn=dala,cn=Users,dc=ops,dc=saba'
user:
'cn=logstash,cn=Users,dc=ops,dc=saba'
'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
'cn=dala,cn=Users,dc=ops,dc=saba'
kibana4:
'cn=logstash,cn=Users,dc=ops,dc=saba'
'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
'cn=dala,cn=Users,dc=ops,dc=saba'
kibana4_server:
'cn=logstash,cn=Users,dc=ops,dc=saba'
'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
'cn=dala,cn=Users,dc=ops,dc=saba'

Currently, only kibana4-server is working fine

cause: com.unboundid.ldap.sdk.LDAPSearchException: referral limit exceeded
[2016-06-23 17:52:44,384][WARN ][shield.authc.activedirectory] [n3pv01inflsh01] authentication failed for user [kibana4-server]: unable to authenticate user [kibana4-server] to active directory domain [ops.saba]
cause: com.unboundid.ldap.sdk.LDAPSearchException: referral limit exceeded
[2016-06-23 17:52:48,387][WARN ][shield.authc.activedirectory] [n3pv01inflsh01] authentication failed for user [kibana4-server]: unable to authenticate user [kibana4-server] to active directory domain [ops.saba]
cause: com.unboundid.ldap.sdk.LDAPSearchException: referral limit exceeded

sabad · June 23, 2016, 9:57pm

It is very sporadic.

sabad · June 23, 2016, 9:58pm

It works when the status change to green

log [17:46:29.695] [error][status][plugin:elasticsearch] Status changed from red to red - Request Timeout after 1500ms
log [17:46:32.491] [error][status][plugin:elasticsearch] Status changed from red to red - Elasticsearch is still initializing the kibana index.
log [17:46:43.673] [info][status][plugin:elasticsearch] Status changed from red to green - Kibana index ready
log [17:51:13.904] [error][status][plugin:elasticsearch] Status changed from green to red - Request Timeout after 1500ms
log [17:52:56.858] [info][status][plugin:elasticsearch] Status changed from red to green - Kibana index ready

jaymode · June 23, 2016, 10:10pm

Are you in a single domain or a forest with the potential for a lot of referrals?

You may want to try setting follow_referrals: false in your realm settings if you do not need to follow referrals.

sabad · June 23, 2016, 10:42pm

Thank You Jay, it worked like a charm.