Hi,
I would like to Integrate elasticsearch search guard with ldap. I able to authenticate ldap users successfully but authorization is not getting.
I got following errors
[2017-06-29T11:17:42,862][ERROR][c.f.s.a.BackendRegistry ] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[ElasticsearchSecurityException[No user admin found]]; nested: ElasticsearchSecurityException[No user admin found];
[2017-06-29T11:58:06,808][ERROR][c.f.s.a.BackendRegistry ] Problems retrieving roles for User [name=admin, roles=] from class com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend
my sg_config.yml file like this
authc:
ldap:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
- X.X.X.X:389
bind_dn: ‘cn=YYYdc=XXX,dc=XXX’
password: 'xxxx
userbase: ‘dc=XXX,dc=XXX’
usersearch: ‘(cn={0})’
username_attribute: cn
authz:
ldap:
enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- X.X.X.X:389
bind_dn: ‘cn=YYYdc=XXX,dc=XXX’
password: 'xxxx
userbase: ‘dc=XXX,dc=XXX’
usersearch: ‘(cn={0})’
username_attribute: cn
rolebase: ‘dc=XXX,dc=XXX’
rolesearch: ‘(cn={0})’
userroleattribute: null
userrolename: none
rolename: RRR #this is ldap rolename
#resolve_nested_roles: true
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(uid={0})’
#username_attribute: uid
Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
- ‘cn=Michael Jackson,ou*people,o=TEST’
- ‘/\S*/’
how to resolve it. how this roles are matching with search guard roles.do we need to mention ldap users in search guard configfile compulsary or not. kindly inform me briefly.