Shield and LDAP error

security

(maitreya) #1

Hello,

I have integrated shield and LDAP. Both of these components are on the same machine (Windows 10) . I'm doing this exercise before implementing it on production. Below is the the ldap realm:

 shield:
  authc:
    realms:
      ldap1:
        type: ldap
        order: 0
        url: "ldaps://localhost:636"
        bind_dn: "cn=Manager,dc=maxcrc,dc=com"
        bind_password: secret
        user_search:
          base_dn: "dc=maxcrc,dc=com"
          attribute: cn
        group_search:
          base_dn: "dc=maxcrc,dc=com"
        files:
          role_mapping: "E:/elasticsearch/elasticsearch-2.4.0/config/shield/role_mapping.yml"
        unmapped_groups_as_roles: false

I'm not using SSL between LDAP and Shield.

I'm getting this error in the startup logs:

[2016-09-09 15:29:04,403][ERROR][shield.authc.ldap ] [Elysius] unable to create connection pool for realm [ldap1]: An error occurred while attempting to connect to server localhost:636: java.io.IOException: Unable to verify an attempt to to establish a secure connection to 'localhost:636' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

And ultimately it's not getting authenticated from the browser too.

Edit: I changed the realm to this:

shield:
  authc:
    realms:
      ldap1:
        type: ldap
        order: 0
        url: "ldaps://localhost:636"
        user_dn_templates:
          - "cn={0}, ou=users, cn=Manager,dc=maxcrc,dc=com"
        group_search:
          base_dn: "dc=maxcrc,dc=com"
        files:
          role_mapping: "E:/elasticsearch/elasticsearch-2.4.0/config/shield/role_mapping.yml"
        unmapped_groups_as_roles: false

It starts up without any errors but when I give the LDAP user credentials in the browser, Manager/secret(password), it doesn't authenticate.
Please help.


(Jay Modi) #2

The configuration you use does indicate that you want to use ssl. ldaps is the scheme for LDAP with ssl; port 636 is the typical port for an LDAP server to listen using ssl.

If you do not want to use ssl, use:

url: "ldap://localhost:389"

(maitreya) #3

Thanks a lot, Jay. It worked. Totally forgot to change that ldap uri. :slight_smile:


(system) #4