Hi.
We are planing to migrate our elasticseach security from Searchguard to xpac security.
Below is the error we are getting while connecting to elasticseach via ldap realm
[2020-05-06T04:46:53,557][DEBUG][o.e.x.s.a.AuthenticationService] [elk-dev9] Authentication of [xprl187] using realm [reserved/reserved] with token [UsernamePasswordToken] was [AuthenticationResult{status=CONTINUE, user=null, message=null, exception=null}]
[2020-05-06T04:46:57,121][DEBUG][o.e.x.s.a.l.LdapRealm ] [elk-dev9] Exception occurred during authenticate for ldap/ldap1
com.unboundid.ldap.sdk.LDAPBindException: NDS error: failed authentication (-669)
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1372) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1258) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1792) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at java.security.AccessController.doPrivileged(AccessController.java:554) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:74) ~[x-pack-security-7.6.1.jar:7.6.1]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:261) [x-pack-security-7.6.1.jar:7.6.1]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry(LdapUtils.java:213) [x-pack-security-7.6.1.jar:7.6.1]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.findUser(LdapUserSearchSessionFactory.java:222) [x-pack-security-7.6.1.jar:7.6.1]
at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSessionWithPool(LdapUserSearchSessionFactory.java:79) [x-pack-security-7.6.1.jar:7.6.1]
at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:96) [x-pack-security-7.6.1.jar:7.6.1]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:131) [x-pack-security-7.6.1.jar:7.6.1]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:314) [x-pack-security-7.6.1.jar:7.6.1]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:692) [elasticsearch-7.6.1.jar:7.6.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.6.1.jar:7.6.1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:830) [?:?]
[2020-05-06T04:46:57,130][DEBUG][o.e.x.s.a.AuthenticationService] [elk-dev9] Authentication of [XXXXX] using realm [ldap/ldap1] with token [UsernamePasswordToken] was [AuthenticationResult{status=CONTINUE, user=null, message=authenticate failed, exception=LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='NDS error: failed authentication (-669)', ldapSDKVersion=4.0.8, revision=28812)}]
[2020-05-06T04:46:57,130][WARN ][o.e.x.s.a.AuthenticationService] [elk-dev9] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='NDS error: failed authentication (-669)', ldapSDKVersion=4.0.8, revision=28812))
NOTE: Same ldap configuartion is working fine with SeachGuard Ldap setup.
LDAP Realm Configuration
xpack.security:
authc:
realms:
ldap:
ldap1:
order: 3
url: [ "ldap://xxxxx.ldp.tla.xxx.com:389" ]
ssl.certificate_authorities: [ "ca-bundle.cer" ]
bind_dn: 'cn=xxxx,ou=xxr,ou=xx'
bind_password: '****'
user_search:
base_dn: 'ou=xxx,ou=xx'
filter: '(member={0})'
group_search:
base_dn: "ou=xx,ou=xx"
user_attribute: cn
files:
role_mapping: "<path>/roles_mapping.yml"
unmapped_groups_as_roles: true
ssl.key.path: xxx.key
ssl.certificate: ca-bundle.cer
authentication.enabled: true