I encountered a timeout with the LDAP server that I'm using when Shield is attempting to fetch the groups (the user lookup functions properly.) I attempted to increase the timeout to see if that would fix my issue, but it seems that the setting is being ignored (each time the error message says 5000ms, no matter what I attempt to configure it as.)
Here is the error that I'm seeing:
[2016-02-15 10:30:01,849][WARN ][shield.authc.ldap ] [Cecilia Reyes] authentication failed for user [xxx]: could not search for LDAP groups for DN [uid=aaaa,c=bb,ou=cccc,o=ddd]
cause: com.unboundid.ldap.sdk.LDAPSearchException: A client-side timeout was encountered while waiting 5000ms for a response to search request with message ID 1, base DN 'ou=eeee,ou=ffff,o=ddd', scope SUB, and
filter '(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(|(uniqueMember=uid=aaaa,c=bb,ou=cccc,o=ddd)(member=uid=aaaa,c=bb,ou=cccc,o=ddd)))' from server yyyy:636.
and here is the relevant section from my elasticsearch.yml file:
base_dn: "ou=cccc, o=ddd"
I'm running ES 2.2.0 with the latest Shield plugin.