Problems after trying to setup realms

Elastic Stack Elasticsearch
1

On elasticsearch 6.6.1, we were trying to add a realm for our active directory environment.

We first added something similar to this:

xpack:
security:
authc:
realms:
native1:
type: native
order: 0
ldap1:
type: ldap
order: 1
url: "ldaps://ldap.sanitized.edu:3269"
.....snip.....

Pretty much per the example, just changing our environment. We configured role_mapping.yml, started elasticsearch but got this error....

parsed [0] roles from file [/etc/elasticsearch/roles.yml]

After some stumbles, we realized we should be using the active_directory type, so we changed the elasticsearch.yml to:

xpack:
security:
authc:
realms:
native1:
type: native
order: 0
active_directory:
type: active_directory
order: 1
domain_name: also.sanitized.edu
url: "ldaps://ldap.sanitized.edu:3269"
bind_dn: our_bind_guy@sanitized.edu

Now we get errors like:

missing realm type [xpack.security.authc.realms.ldap1.type] for realm

That is confusing, the string "ldap1" exists nowhere in /etc/elasticsearch, verified by grep. Has elasticsearch saved some of this bad realm info in it's database?

We are stuck, we're going to move to a more expendable stack and start over, but I would like to get this stack back if possible.

Thanks.

2

Can you please format Yaml as a code block (the </> button) rather than a block quote.
Whitespace is important in Yaml and it's impossible to know what your config looks like if the space is stripped.

That's not an error. The bit of the log that you stripped off from the beginnning says that it is an INFO message.

[2019-03-13T12:34:56,789][INFO ][o.e.x.s.a.s.FileRolesStore] [node01] parsed [0] roles from file [/etc/elasticsearch/roles.yml]

Info messages are helpful for diagnosing problems when something goes wrong, but you shouldn't read them as a sign that there's a problem.

Check your keystore:

bin/elasticsearch-keystore list
3

OK, this is the fix

elasticsearch-keystore remove xpack.security.authc.realms.ldap1.secure_bind_password

I knew we left it in there, I just guessed it wouldn't be referenced.

Thanks

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.