X-Pack LDAP testing

vijayramachandran · April 30, 2017, 10:40pm

Hi Team,

I have placed LDAP entries in elasticsearch.yml file, but how do I check whether or not the LDAP integration is working?

Should I check something else?

I have tried to login with the user which is already in the domain, but it didn't allow me to login, am I missing something?

xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldaps://gslb.yyacg.yyads.cg.com"
bind_dn: "cn=dev_ad, ou=users, dc=YYCGG, dc=YYADS, dc=CG, DC=COM"
bind_password: password
user_search:
base_dn: "dc=YYCGG, dc=YYADS, dc=CG, DC=COM"
attribute: cn
group_search:
base_dn: "dc=YYCGG, dc=YYADS, dc=CG, DC=COM"

TimV · May 1, 2017, 2:19am

Note: Please use a code block when pasting configuration files or code into these forums. Whitespace/indenting is very important in YAML, and the forums will not preserve your format unless you designate your content as a "code block" by either indenting it all with 4 spaces, or surrounding it with 3 back-ticks, like below.

```
xpack:
   security:
```

That said, since we don't know how your LDAP server is configured, we really can't tell you whether your configuration is correct.

I do note that it looks like your server is an Active Directory server, but you have chosen to use the ldap realm rather than the active_directory realm. That can work, but it's not the generally recommended approach. I would encourage you to look at the active directory realm.

You can debug the LDAP and AD realms by turning on DEBUG or TRACE logging as per below (You may need to modify the user (-uelastic) and the url to match your environment):

curl -uelastic -XPUT 'localhost:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc.ldap": "DEBUG"
  }
}
'

And then try to hit the authenticate API

The elasticsearch.log log file will contain useful diagnostics about the authentication.
DEBUG logging is probably enough to sort through most issues. You can turn it up to TRACE, but then you'll get a lot more output which may make it harder to read.

vijayramachandran · May 2, 2017, 2:55pm

Thanks for the update.

I tried with AD conf as below from the link from elasticsearch,

xpack:
  security:
    authc:
      realms:
        active_directory:
          type: active_directory
          order: 0
          domain_name: gslb.yydbg.yyads.db.com
          url: "ldaps://gslb.yydbg.yyads.db.com:636"
          unmapped_groups_as_roles: true

and I get the below error,

curl -u ramacvij:hello123 http://10.245.45.21:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"error attempting to authenticate request","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"error attempting to authenticate request","caused_by":{"type":"l_d_a_p_exception","reason":"An error occurred while attempting to connect to server gslb.yydbg.yyads.db.com:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'gslb.yydbg.yyads.db.com:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:431) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / (LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710) / (LDAPConnection.java:534) / getConnection(SingleServerSet.java:229) / getConnection(ServerSet.java:98) / getConnection(FailoverServerSet.java:545) / getConnection(FailoverServerSet.java:459) / session(ActiveDirectorySessionFactory.java:104) / lambda$doAuthenticate$0(LdapRealm.java:130) / run(ThreadContext.java:527) / runWorker(ThreadPoolExecutor.java:1142) / run(ThreadPoolExecutor.java:617) / run(Thread.java:745)', revision=24201)')","caused_by":{"type":"i_o_exception","reason":"LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'gslb.yydbg.yyads.db.com:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:431) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / (LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710) / (LDAPConnection.java:534) / getConnection(SingleServerSet.java:229) / getConnection(ServerSet.java:98) / getConnection(FailoverServerSet.java:545) / getConnection(FailoverServerSet.java:459) / session(ActiveDirectorySessionFactory.java:104) / lambda$doAuthenticate$0(LdapRealm.java:130) / run(ThreadContext.java:527) / runWorker(ThreadPoolExecutor.java:1142) / run(ThreadPoolExecutor.java:617) / run(Thread.java:745)', revision=24201)')","caused_by":{"type":"l_d_a_p_exception","reason":"Unable to verify an attempt to to establish a secure connection to 'gslb.yydbg.yyads.db.com:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:431) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / (LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710) / (LDAPConnection.java:534) / getConnection(SingleServerSet.java:229) / getConnection(ServerSet.java:98) / getConnection(FailoverServerSet.java:545) / getConnection(FailoverServerSet.java:459) / session(ActiveDirectorySessionFactory.java:104) / lambda$doAuthenticate$0(LdapRealm.java:130) / run(ThreadContext.java:527) / runWorker(ThreadPoolExecutor.java:1142) / run(ThreadPoolExecutor.java:617) / run(Thread.java:745)', revision=24201)","caused_by":{"type":"s_s_l_peer_unverified_exception","reason":"peer not authenticated"}}}},"header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}

Same error for this conf as well,

  xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldaps://gslb.yydbg.yyads.db.com:636"
          ssl:
              certificate_authorities: [ "/home/elastic/applications/elasticsearch-5.2.1/config/x-pack/db-uat-root-ca.pem" ]
          bind_dn: "cn=some_user, ou=users, dc=YYDBG, dc=YYADS, dc=DB, DC=COM"
          bind_password: hellothere
          user_search:
                base_dn: "dc=YYDBG, dc=YYADS, dc=DB, DC=COM"
                attribute: cn
          group_search:
                 base_dn: "dc=YYDBG, dc=YYADS, dc=DB, DC=COM"

TimV · May 3, 2017, 12:20am

/home/elastic/applications/elasticsearch-5.2.1/config/x-pack/db-uat-root-ca.pem

Are you absolutely certain that this is the right CA cert for the AD server? If you're getting that SSL error then it's probably not.

system · May 31, 2017, 12:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.