Settings from elasticsearch-keystore not loaded

sureshsubramaniyan · May 24, 2018, 2:42am

I have stored the active directory bind user password in elasticsearch keystore . but password not getting read from the keystore .

elasticsearch.yml settings:

xpack:
  security:
    authc:
      realms:
        native1:
           type: native
           order: 0
        ldapad:
           type: active_directory
           order: 1
           domain_name: domain.net
           url: ["ldap://domain1.net:389","ldap://domain2.net:389"]
           load_balance.type: failover
           bind_dn: elkuser.001
           user_search.base_dn: "OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"

keystore :

elastic@elkhost[bin] $ ./elasticsearch-keystore list
keystore.seed
xpack.security.authc.realms.ldapad.bind_password
elastic@elkhost[bin] $

logs:

[2018-05-24T02:23:31,564][WARN ][o.e.x.s.a.AuthenticationService] [dev-node1] Authentication to realm ldapad failed - authenticate failed (Caused by LDAPException(resultCode=89 (parameter error), errorMessage='Simple bind operations are not allowed to contain a bind DN without a password.', diagnosticMessage='Simple bind operations are not allowed to contain a bind DN without a password.'))

rjernst · May 24, 2018, 4:18am

The elasticsearch keystore cannot be used with any arbitrary settings. Each setting must be specifically configured in the code to look in the keystore. The bind password here has been updated to support keystore, but that has not yet been released (it will be in 6.3.0). Also note the setting in the keystore has a different name (so there is no ambiguity if it existed in both elasticsearch.yml and the keystore). The keystore setting name has secure_ prefixed, so secure_bind_password.

sureshsubramaniyan · May 29, 2018, 12:34pm

@rjernst ,

thanks for your update.

system · June 26, 2018, 12:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.