I'm at the end of my tether trying to get Shield to authenticate users against my AD server. I'm getting the error:
[2016-11-21 17:19:42,275][WARN ][shield.authc.activedirectory] [host] authentication failed for user [username]: failed to connect to any active directory servers cause: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server adhost.domain.com:3269: java.io.IOException: Unable to verify an attempt to to establish a secure connection to 'adhost.domain.com:3269' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
As far as I can tell this error means the AD server's certificate is untrusted. The AD server has a proper SSL certificate signed by Thawte. Connecting using ldapsearch and openssl s_client succeeds and reports a valid certificate. My keystore has both the AD host's certificate and the Thawte root and intermediate certificates installed. SSL transport comms between all the nodes in my cluster is working with a self-signed certificate and CA setup.
keytool -list -keystore keystore.ks
elasticsearch_instance_deforestation_keystore_ca, Nov 21, 2016, trustedCertEntry, Certificate fingerprint (SHA1): FE:DE:4B:18:A2:C3:18:02:89:15:D8:64:35:FA:F9:85:5F:FC:19:C4 thawte, Nov 21, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81 adhost, Nov 21, 2016, trustedCertEntry, Certificate fingerprint (SHA1): EE:57:B5:E7:80:41:E8:76:40:13:84:C8:31:81:7B:F0:98:50:81:8D elasticsearch_instance_deforestation_keystore_node, Nov 21, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 29:5C:7E:4C:D3:8D:2A:49:68:58:31:28:AB:07:33:27:73:69:A4:6E thawteinter, Nov 21, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 2E:A7:1C:36:7D:17:8C:84:3F:D2:1D:B4:FD:B6:30:BA:54:A2:0D:C5 thawte-2, Nov 21, 2016, trustedCertEntry, Certificate fingerprint (SHA1): AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12
shield.ssl.keystore.password: password shield.ssl.keystore.path: /etc/elasticsearch/path/to/keystore.ks shield.transport.ssl: true shield: authc: realms: esusers: type: esusers order: 0 ldap1: type: active_directory order: 1 url: ldaps://adhost.domain.com:3269 domain_name: adhost.domain.com bind_dn: "cn=kibana,cn=Users,cd=domain,dc=com" bind_password: "password" files: role_mapping: "/etc/elasticsearch/deforestation/shield/role_mapping.yml" unmapped_groups_as_roles: false
admin: - "CN=username,OU=container,OU=othercontainer,DC=domain,DC=com"
Any ideas? I've absolutely no idea what I'm missing here.