Error with LDAP connection with enabled TLS
When TLS is enabled for LDAP configuration, OS returns the following error
curl -Ss -u hr_employee:hr_employee --insecure -XGET "https://sgssl-0.example.com:9200/_eliatra/security/auth/debug"
{
"status" : "UNAUTHORIZED",
"error" : "Authentication failed",
"debug" : [ {
"method" : "session",
"success" : false,
"message" : "No credentials extracted"
}, {
"method" : "basic/internal_users_db",
"success" : true,
"message" : "Extracted credentials",
"details" : {
"user_name" : "hr_employee",
"user_mapping_attributes" : {
"credentials" : {
"user_name" : "hr_employee"
},
"request" : {
"headers" : {
"Accept" : [ "*/*" ],
"Authorization" : [ "Basic aHJfZW1wbG95ZWU6aHJfZW1wbG95ZWU=" ],
"Host" : [ "sgssl-0.example.com:9200" ],
"User-Agent" : [ "curl/7.49.1-DEV" ],
"content-length" : [ "0" ]
},
"direct_ip_address" : "172.16.0.230",
"originating_ip_address" : "172.16.0.230"
}
}
}
}, {
"method" : "basic/internal_users_db",
"success" : false,
"message" : "Authenticator unavailable: Error while creating connection to LDAP server\nLDAPException(resultCode=81 (server down), diagnosticMessage='The connection to server ldap.example.com:636 was closed while waiting for a response to a bind request SimpleBindRequest(dn='').', ldapSDKVersion=5.0.1, revision=3290ee33d4aa17df1aadb4d814d6534375f395a9)",
"details" : {
"ldap_rc" : "81 (server down)",
"diagnostic_message" : "The connection to server ldap.example.com:636 was closed while waiting for a response to a bind request SimpleBindRequest(dn='').",
"bind_result" : "BindResult(resultCode=81 (server down), diagnosticMessage='The connection to server ldap.example.com:636 was closed while waiting for a response to a bind request SimpleBindRequest(dn='').', hasServerSASLCredentials=false)"
}
}, {
"method" : "basic/ldap",
"success" : true,
"message" : "Extracted credentials",
"details" : {
"user_name" : "hr_employee",
"user_mapping_attributes" : {
"credentials" : {
"user_name" : "hr_employee"
},
"request" : {
"headers" : {
"Accept" : [ "*/*" ],
"Authorization" : [ "Basic aHJfZW1wbG95ZWU6aHJfZW1wbG95ZWU=" ],
"Host" : [ "sgssl-0.example.com:9200" ],
"User-Agent" : [ "curl/7.49.1-DEV" ],
"content-length" : [ "0" ]
},
"direct_ip_address" : "172.16.0.230",
"originating_ip_address" : "172.16.0.230"
}
}
}
}, {
"method" : "basic/ldap",
"success" : false,
"message" : "Authenticator unavailable: Error while creating connection to LDAP server\nLDAPException(resultCode=81 (server down), diagnosticMessage='The connection to server ldap.example.com:636 was closed while waiting for a response to a bind request SimpleBindRequest(dn='').', ldapSDKVersion=5.0.1, revision=3290ee33d4aa17df1aadb4d814d6534375f395a9)",
"details" : {
"ldap_rc" : "81 (server down)",
"diagnostic_message" : "The connection to server ldap.example.com:636 was closed while waiting for a response to a bind request SimpleBindRequest(dn='').",
"bind_result" : "BindResult(resultCode=81 (server down), diagnosticMessage='The connection to server ldap.example.com:636 was closed while waiting for a response to a bind request SimpleBindRequest(dn='').', hasServerSASLCredentials=false)"
}
} ],Example sp_authc.yml which was used to reproduce error
---
auth_domains:
- type: "basic/internal_users_db"
additional_user_information:
- type: "ldap"
ldap:
idp:
trusted_cas: |
-----BEGIN CERTIFICATE-----
MIIDuDCCAqCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMR0wGwYDVQQKDBRFeGFt
cGxlIERTRyBJbmMuIDEuMDElMCMGA1UECwwcRXhhbXBsZSBEU0cgSW5jLiAxLjAg
Um9vdCBDQTElMCMGA1UEAwwcRXhhbXBsZSBEU0cgSW5jLiAxLjAgUm9vdCBDQTAe
Fw0xNjA5MDMyMzAwMTJaFw0yNjA5MDMyMzAwMTJaMG0xHTAbBgNVBAoMFEV4YW1w
bGUgRFNHIEluYy4gMS4wMSUwIwYDVQQLDBxFeGFtcGxlIERTRyBJbmMuIDEuMCBS
b290IENBMSUwIwYDVQQDDBxFeGFtcGxlIERTRyBJbmMuIDEuMCBSb290IENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA68OzOKphDwzcXd+2B34BWxSQ
DtLS5mbsaImsf8yq/1wCc85Fvcio0ZnghiCG4IhDyoIcYMeXO/JzyPorsSoTK2Yb
46DJ4WiJc/wZ/K5c38R1UMvyaH8wEjyGjO2ztn+8/h57Lqu7h90piY+pf3IbKn93
zKR1qFfME4zmflT35LID2zZQi7QoJ/r/h6Bmuhd7TMVey4XKilW3BphBMBH2KIPG
LbfHCFFhAVj2mnLM6ab0QANHbfPu+nD6ZkejL1uEMhAmutF0zJKXTHdNIuuH9rUx
cOFK410kokRjFJ6WaHWlJZp6Xq4HpdUDBsdFJp6jOMXqgExjS2+FBDgUvbYk4QID
AQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUYifTiO8whRKIJeF6PCmBUfTOP64wHwYDVR0jBBgwFoAUYifTiO8whRKIJeF6
PCmBUfTOP64wDQYJKoZIhvcNAQELBQADggEBAFqzYDsLoUPY5S6/OvED1zE/3dJ2
aUbfCE6k4SuzuVOBlPgYRwDz545Q+zKpvmGJ7kwmcFEqGzB0TGYkUI1MTCxdj9Eo
qxkLM9raLG9F/9ILSvDn0bGOgBCEIzgWTS5zbGM+9K9MF3UWAGlW+w4YmGR2aq1r
CaMVe3LxtIBqwjBgfD9aOAzbgaQvqLdCZ0exW9eMoU/gHNH/TBk/w8WGZk2zOxzl
V4VdDSs0IpZn8g26fsvg2ynxmEeGkQ2n0ji4Tjw+BHJZKZaVBp0H++bgt1dB5FTE
bRM0+c02BwwUwZH35xl18LeJnp03hPlKhL/kNrQTz1X4wRA5MIStjE1inU4=
-----END CERTIFICATE-----
hosts:
- "ldaps://ldap.example.com:636"
user_search:
base_dn: "ou=people,dc=example,dc=com"
filter:
raw: "(uid=${user.name})"
group_search:
base_dn: "ou=groups,dc=example,dc=com"
filter:
raw: "(uniqueMember=${dn})"
role_name_attribute: "cn"
user_mapping:
roles:
from:
- "$.ldap_user_entry[\"memberOf\"]"
- type: "basic/ldap"
ldap:
idp:
trusted_cas: |
-----BEGIN CERTIFICATE-----
MIIDuDCCAqCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMR0wGwYDVQQKDBRFeGFt
cGxlIERTRyBJbmMuIDEuMDElMCMGA1UECwwcRXhhbXBsZSBEU0cgSW5jLiAxLjAg
Um9vdCBDQTElMCMGA1UEAwwcRXhhbXBsZSBEU0cgSW5jLiAxLjAgUm9vdCBDQTAe
Fw0xNjA5MDMyMzAwMTJaFw0yNjA5MDMyMzAwMTJaMG0xHTAbBgNVBAoMFEV4YW1w
bGUgRFNHIEluYy4gMS4wMSUwIwYDVQQLDBxFeGFtcGxlIERTRyBJbmMuIDEuMCBS
b290IENBMSUwIwYDVQQDDBxFeGFtcGxlIERTRyBJbmMuIDEuMCBSb290IENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA68OzOKphDwzcXd+2B34BWxSQ
DtLS5mbsaImsf8yq/1wCc85Fvcio0ZnghiCG4IhDyoIcYMeXO/JzyPorsSoTK2Yb
46DJ4WiJc/wZ/K5c38R1UMvyaH8wEjyGjO2ztn+8/h57Lqu7h90piY+pf3IbKn93
zKR1qFfME4zmflT35LID2zZQi7QoJ/r/h6Bmuhd7TMVey4XKilW3BphBMBH2KIPG
LbfHCFFhAVj2mnLM6ab0QANHbfPu+nD6ZkejL1uEMhAmutF0zJKXTHdNIuuH9rUx
cOFK410kokRjFJ6WaHWlJZp6Xq4HpdUDBsdFJp6jOMXqgExjS2+FBDgUvbYk4QID
AQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUYifTiO8whRKIJeF6PCmBUfTOP64wHwYDVR0jBBgwFoAUYifTiO8whRKIJeF6
PCmBUfTOP64wDQYJKoZIhvcNAQELBQADggEBAFqzYDsLoUPY5S6/OvED1zE/3dJ2
aUbfCE6k4SuzuVOBlPgYRwDz545Q+zKpvmGJ7kwmcFEqGzB0TGYkUI1MTCxdj9Eo
qxkLM9raLG9F/9ILSvDn0bGOgBCEIzgWTS5zbGM+9K9MF3UWAGlW+w4YmGR2aq1r
CaMVe3LxtIBqwjBgfD9aOAzbgaQvqLdCZ0exW9eMoU/gHNH/TBk/w8WGZk2zOxzl
V4VdDSs0IpZn8g26fsvg2ynxmEeGkQ2n0ji4Tjw+BHJZKZaVBp0H++bgt1dB5FTE
bRM0+c02BwwUwZH35xl18LeJnp03hPlKhL/kNrQTz1X4wRA5MIStjE1inU4=
-----END CERTIFICATE-----
hosts:
- "ldaps://ldap.example.com:636"
user_search:
base_dn: "ou=people,dc=example,dc=com"
filter:
raw: "(uid=${user.name})"
group_search:
base_dn: "ou=groups,dc=example,dc=com"
filter:
raw: "(uniqueMember=${dn})"
role_name_attribute: "cn"
user_mapping:
user_name:
from_backend: "$.ldap_user_entry.uid"
roles:
from:
- "$.ldap_user_entry[\"memberOf\"]"
attrs:
from:
givenName: "$.ldap_user_entry.givenName"
sn: "$.ldap_user_entry.sn"
network:
trusted_proxies_regex: ".*"
http:
remote_ip_header: "x-forwarded-for"After switching to plain LDAP config, endpoints works fine :
curl -Ss -u hr_employee:hr_employee --insecure -XGET "https://sgssl-0.example.com:9200/_eliatra/security/auth/debug"
{
"debug" : [ {
"method" : "session",
"success" : false,
"message" : "No credentials extracted"
}, {
"method" : "basic/internal_users_db",
"success" : true,
"message" : "Extracted credentials",
"details" : {
"user_name" : "hr_employee",
"user_mapping_attributes" : {
"credentials" : {
"user_name" : "hr_employee"
},
"request" : {
"headers" : {
"Accept" : [ "*/*" ],
"Authorization" : [ "Basic aHJfZW1wbG95ZWU6aHJfZW1wbG95ZWU=" ],
"Host" : [ "sgssl-0.example.com:9200" ],
"User-Agent" : [ "curl/7.49.1-DEV" ],
"content-length" : [ "0" ]
},
"direct_ip_address" : "172.16.0.230",
"originating_ip_address" : "172.16.0.230"
}
}
}
}, {
"method" : "basic/internal_users_db",
"success" : true,
"message" : "Backends successful",
"details" : {
"user_mapping_attributes" : {
"user_entry" : {
"search_guard_roles" : [ ],
"internal_roles" : [ ],
"backend_roles" : [ "kibanauser" ],
"name" : "hr_employee",
"attributes" : {
"attribute1" : "value1",
"attribute2" : "value2",
"attribute3" : "value3"
}
},
"request" : {
"headers" : {
"Accept" : [ "*/*" ],
"Authorization" : [ "Basic aHJfZW1wbG95ZWU6aHJfZW1wbG95ZWU=" ],
"Host" : [ "sgssl-0.example.com:9200" ],
"User-Agent" : [ "curl/7.49.1-DEV" ],
"content-length" : [ "0" ]
},
"direct_ip_address" : "172.16.0.230",
"originating_ip_address" : "172.16.0.230"
},
"credentials" : {
"user_name" : "hr_employee"
}
}
}
}, {
"method" : "basic/internal_users_db",
"success" : true,
"message" : "User is logged in",
"details" : {
"user" : {
"name" : "hr_employee",
"roles" : [ "kibanauser" ],
"search_guard_roles" : [ ],
"attributes" : { }
}
}
} ],
"headers" : { }
}The configuration that was used for plain connection
debug: true
auth_domains:
- type: "basic/internal_users_db"
additional_user_information:
- type: "ldap"
ldap:
idp:
hosts:
- "ldap://ldap.example.com"
user_search:
base_dn: "ou=people,dc=example,dc=com"
filter:
raw: "(uid=${user.name})"
group_search:
base_dn: "ou=groups,dc=example,dc=com"
filter:
raw: "(uniqueMember=${dn})"
role_name_attribute: "cn"
user_mapping:
roles:
from:
- "$.ldap_user_entry[\"memberOf\"]"
- type: "basic/ldap"
ldap:
idp:
hosts:
- "ldap://ldap.example.com"
user_search:
base_dn: "ou=people,dc=example,dc=com"
filter:
raw: "(uid=${user.name})"
group_search:
base_dn: "ou=groups,dc=example,dc=com"
filter:
raw: "(uniqueMember=${dn})"
role_name_attribute: "cn"
user_mapping:
user_name:
from_backend: "$.ldap_user_entry.uid"
roles:
from:
- "$.ldap_user_entry[\"memberOf\"]"
attrs:
from:
givenName: "$.ldap_user_entry.givenName"
sn: "$.ldap_user_entry.sn"
network:
trusted_proxies_regex: ".*"
http:
remote_ip_header: "x-forwarded-for"
Edited by Piotr Chmielnik