Authorization error

Hi,

I would like to Integrate elasticsearch search guard with ldap. I able to authenticate ldap users successfully but authorization is not getting.

I got following errors

[2017-06-29T11:17:42,862][ERROR][c.f.s.a.BackendRegistry ] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[ElasticsearchSecurityException[No user admin found]]; nested: ElasticsearchSecurityException[No user admin found];

[2017-06-29T11:58:06,808][ERROR][c.f.s.a.BackendRegistry ] Problems retrieving roles for User [name=admin, roles=] from class com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend

my sg_config.yml file like this

authc:

ldap:

enabled: true

order: 1

http_authenticator:

type: basic

challenge: true

authentication_backend:

LDAP authentication backend (authenticate users against a LDAP or Active Directory)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable ldaps

enable_ssl: false

enable start tls, enable_ssl should be false

enable_start_tls: false

send client certificate

enable_ssl_client_auth: false

verify ldap hostname

verify_hostnames: true

hosts:

  • X.X.X.X:389

bind_dn: ‘cn=YYYdc=XXX,dc=XXX’

password: 'xxxx

userbase: ‘dc=XXX,dc=XXX’

usersearch: ‘(cn={0})’

username_attribute: cn

authz:

ldap:

enabled: true

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

  • X.X.X.X:389

bind_dn: ‘cn=YYYdc=XXX,dc=XXX’

password: 'xxxx

userbase: ‘dc=XXX,dc=XXX’

usersearch: ‘(cn={0})’

username_attribute: cn

rolebase: ‘dc=XXX,dc=XXX’

rolesearch: ‘(cn={0})’

userroleattribute: null

userrolename: none

rolename: RRR #this is ldap rolename

#resolve_nested_roles: true

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(uid={0})’

#username_attribute: uid

Skip users matching a user name, a wildcard or a regex pattern

#skip_users:

- ‘cn=Michael Jackson,ou*people,o=TEST’

- ‘/\S*/’

how to resolve it. how this roles are matching with search guard roles.do we need to mention ldap users in search guard configfile compulsary or not. kindly inform me briefly.