Hello,
I'm trying out XPack and trying to integrate it with our LDAP server, which uses Start TLS encryption instead of ldaps protocol and is well integrated with several clients.
In Xpack documentation https://www.elastic.co/guide/en/x-pack/current/ldap-realm.html , there is no mention about StartTLS, which is a quite widespread way of communicating with LDAP, I would like to know if it's integrated with Xpack or not at all?
I tried the following conf in elasticsearch.yml :
xpack:
security:
authc:
realms:
file:
type: file
order: 0
native:
type: native
order: 1
ldap1:
type: ldap
order: 2
url: "ldap://myserver:389"
ssl:
certificate_authorities: ["/etc/elasticsearch/x-pack/ldapserver.pem"]
bind_dn: "uid=auth-user, cn=users, ou=internal, dc=domain, dc=com"
bind_password: ***
user_search:
base_dn: "dc=domain,dc=com"
attribute: uid
group_search:
base_dn: "dc=domain,dc=com"
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false
which gives in the logs:
Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=13 (confidentiality required), errorMessage='TLS confidentiality required', diagnosticMessage='TLS confidentiality required'))
which is normal since the ldap server requires StartTLS communication.
And when I replace url: "ldap://myserver:389" with url: "ldaps://myserver:389":
Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server myserver:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'myserver:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:431) / verifySSLSocket(HostNameSSLSocketVerifier.java:113) / (LDAPConnectionInternals.java:166) / connect(LDAPConnection.java:860) / connect(LDAPConnection.java:760) / connect(LDAPConnection.java:710) / (LDAPConnection.java:534) / getConnection(SingleServerSet.java:229) / getConnection(ServerSet.java:98) / getConnection(FailoverServerSet.java:545) / createConnection(LDAPConnectionPool.java:1205) / createConnection(LDAPConnectionPool.java:1178) / getConnection(LDAPConnectionPool.java:1706) / searchForEntry(LdapUtils.java:142) / searchForEntry(LdapUtils.java:94) / findUser(LdapUserSearchSessionFactory.java:255) / getSessionWithPool(LdapUserSearchSessionFactory.java:108) / session(PoolingSessionFactory.java:101) / lambda$doAuthenticate$0(LdapRealm.java:161) / doRun(LdapRealm.java:317) / doRun(ThreadContext.java:638) / run(AbstractRunnable.java:37) / runWorker(ThreadPoolExecutor.java:1142) / run(ThreadPoolExecutor.java:617) / run(Thread.java:745)', revision=24201)')'))
So again, the question is: Does Xpack support StartTLS? If no is it planned? If yes what's the proper way of configuring the realm?
Thanks!