I have realm settings in my elasticsearch.yml, elasticsearch is working without errors (so I think) as a single node.
I have the realms configured as follows:
xpack.security.authc.realms:
realm1:
type: native
order: 0
realm2:
type: active_directory
order: 1
domain_name: domain.name
url: ldaps://ad.ldap.server:636
bind_dn: bind_dn, which works in another app.
bind_password: thepassword
ssl:
certificate_authorities: [ "config/ldapcert/dhp-ldap-chain.pem" ]
: actual settings changed to protect the innocent
I am unsure how to verify that an ad/ldap login would work other than trying several things and then the only error I get is "Oops! Error. Try again." Any help would be appreciated. We are so close to getting our Platinum support set up, so I hope that will be the savior I need.
You can try the _authenticate API , see here. For example, assuming you are testing on localhost and Elasticsearch is listening on 9200 (default port) you can try :
curl -uUSERNAME -X GET "http://localhost:9200/_xpack/security/_authenticate"
where USERNAME should be the sAMAccountName of the AD user you want to authenticate as. You should be prompted for the password and upon entering it you would either get a successful response or you can use the output/log file to get a glimpse as to what failed.
A couple of things:
We deprecated bind_password in 6.3 in favor of secure_bind_password ( see also here ), you might want to change to this after the rest of your issues have been resolved.
You can enable debug logging to get more insights as to what fails by adding
I am trying to work through some of these commands. It looks like I cannot use localhost and the direct IP gives this error
:~$ curl -X GET "IPADDRESS:9200/_xpack"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_xpack]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_xpack]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}user@server1:~$
Thank you - I was trying to execute a more basic command without a username. I am checking now to see if we even have the sAMAccountName property set up on our AD. If that is NOT, then I am assuming I will need to look at the LDAP authentication setup in X-Pack.
This is a good idea nevertheless. We will be here to assist, but you'd have to share a little more detail on how your AD is setup and the attributes that are available for your users.
Looks like I got it working. Now I just need to be able to add multiple LDAP Servers. What is the correct format for the load_ballance.type setting in the yml.
I'm not really noticing anything in that log, you meant the elasticsearch.log correct? I do see that resources are allocating to ML and I specifically have ML disabled in this Dev environment.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.