java security exception when running ldap module

Hi,

I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:

[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively

[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)

[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)

[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …

[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}

[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …

[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry

[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}

[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started

[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized

[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,

Andreas

Just to makes things clear:
- You use SG ES 5.1.1-11 (not ES 5.1.1-1) right?
- Did you get the exception during startup? If yes, does it prevent the node from properly starting up?
- Pls. share you sg_config.yml

···

Am 11.03.2017 um 01:25 schrieb Andreas Freudenreich <andreas.freudenreich@icloud.com>:

Hi,
I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")

Here the startup logs:
[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64
[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers
...
[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit.. That is not an issue, it just limits possible encryption strength. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers
...
[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)
[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)
[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting ...
[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}
[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists ...
[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry
[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master
...
[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}
[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started
[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node 'mynode' initialized
[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,
Andreas

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2a778a6e-91aa-4571-9c39-744ac4c37858%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

can you check if https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-20170313.174111-1-jar-with-dependencies.jar fixes your issue (or at least print out more details)?

···

On Saturday, 11 March 2017 01:25:15 UTC+1, Andreas Freudenreich wrote:

Hi,

I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:

[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively

[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)

[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)

[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …

[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}

[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …

[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry

[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}

[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started

[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized

[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,

Andreas

Yes, we use SG 5.1.1-11 (with ES 5.1.1-1)

The exception happens during startup, but the node starts up afterwards. Non-LDAP authentication still works.

I’ll share the configuration during the next days (currently OOO).

···

On Mar 13, 2017, at 10:20 AM, SG info@search-guard.com wrote:

Am 11.03.2017 um 01:25 schrieb Andreas Freudenreich andreas.freudenreich@icloud.com:

Hi,
I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception
java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:
[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64
[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)
[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)
[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …
[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}
[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …
[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry
[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}
[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started
[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized
[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception
java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,
Andreas


You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2a778a6e-91aa-4571-9c39-744ac4c37858%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Just to makes things clear:

  • You use SG ES 5.1.1-11 (not ES 5.1.1-1) right?
  • Did you get the exception during startup? If yes, does it prevent the node from properly starting up?
  • Pls. share you sg_config.yml


You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E90FBAA3-CA94-4AC9-8DDD-C78E1F7722AE%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

version 5.0.8 results in the same error - I’ll see if I can get some debug logs within the next few days.

···

On Mar 13, 2017, at 10:42 AM, Search Guard info@search-guard.com wrote:

can you check if https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-20170313.174111-1-jar-with-dependencies.jar fixes your issue (or at least print out more details)?

On Saturday, 11 March 2017 01:25:15 UTC+1, Andreas Freudenreich wrote:

Hi,

I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:

[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively

[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)

[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)

[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …

[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}

[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …

[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry

[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}

[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started

[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized

[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,

Andreas


You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ee1cefa0-7236-4ce7-90a0-868ea1a61933%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Sorry - I had tested versions 5.06 and 5.07, but not 5.08 yet - will get back to you when done.

···

On Monday, 13 March 2017 10:42:50 UTC-7, Search Guard wrote:

can you check if https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-20170313.174111-1-jar-with-dependencies.jar fixes your issue (or at least print out more details)?

On Saturday, 11 March 2017 01:25:15 UTC+1, Andreas Freudenreich wrote:

Hi,

I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:

[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively

[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)

[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)

[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …

[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}

[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …

[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry

[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}

[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started

[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized

[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,

Andreas

Hi,
I have installed the linked 5.0.8 version and it gets past the java error now - thanks!

.

Authorization fails, though, with another error:

[2017-03-20T12:30:31,302][WARN ][o.l.r.SearchReferralHandler] Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca

org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name ‘DC=DomainDnsZones,DC=our,DC=domain,DC=ca’

Current authz configuration:

authz:

roles_from_myldap:

enabled: true

authorization_backend:

LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

  • ead-sdcp10.ourdomain.ca:389

bind_dn: ‘CN=AS-svcuser,OU=ServiceAccounts,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca’

password: ‘our_pw’

rolebase: ‘OU=role,OU=groups,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca’

Filter to search for roles (currently in the whole subtree beneath rolebase)

{0} is substituted with the DN of the user

{1} is substituted with the username

{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

rolesearch: ‘(uniqueMember={0})’

Specify the name of the attribute which value should be substituted with {2} above

userroleattribute: member

Roles as an attribute of the user entry

userrolename: memberOf

The attribute in a role entry containing the name of that role

rolename: distinguishedName

Resolve nested roles transitive (roles which are members of other roles and so on …)

resolve_nested_roles: true

userbase: ‘DC=our,DC=domain,DC=ca’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(samaccountname={0})’

I can perform an ldapsearch successfully with the same bind credentials.

Thanks for any hints,

Andreas

···

On Monday, 13 March 2017 10:42:50 UTC-7, Search Guard wrote:

can you check if https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-20170313.174111-1-jar-with-dependencies.jar fixes your issue (or at least print out more details)?

On Saturday, 11 March 2017 01:25:15 UTC+1, Andreas Freudenreich wrote:

Hi,

I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:

[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively

[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)

[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)

[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …

[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}

[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …

[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry

[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}

[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started

[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized

[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,

Andreas

can you try this one https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-unb-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-unb-20170322.155126-1-jar-with-dependencies.jar

seems to be a problem with referrals

···

On Monday, 20 March 2017 20:37:55 UTC+1, Andreas Freudenreich wrote:

Hi,
I have installed the linked 5.0.8 version and it gets past the java error now - thanks!

.

Authorization fails, though, with another error:

[2017-03-20T12:30:31,302][WARN ][o.l.r.SearchReferralHandler] Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca

org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name ‘DC=DomainDnsZones,DC=our,DC=domain,DC=ca’

Current authz configuration:

authz:

roles_from_myldap:

enabled: true

authorization_backend:

LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

bind_dn: ‘CN=AS-svcuser,OU=ServiceAccounts,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca’

password: ‘our_pw’

rolebase: ‘OU=role,OU=groups,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca’

Filter to search for roles (currently in the whole subtree beneath rolebase)

{0} is substituted with the DN of the user

{1} is substituted with the username

{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

rolesearch: ‘(uniqueMember={0})’

Specify the name of the attribute which value should be substituted with {2} above

userroleattribute: member

Roles as an attribute of the user entry

userrolename: memberOf

The attribute in a role entry containing the name of that role

rolename: distinguishedName

Resolve nested roles transitive (roles which are members of other roles and so on …)

resolve_nested_roles: true

userbase: ‘DC=our,DC=domain,DC=ca’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(samaccountname={0})’

I can perform an ldapsearch successfully with the same bind credentials.

Thanks for any hints,

Andreas

On Monday, 13 March 2017 10:42:50 UTC-7, Search Guard wrote:

can you check if https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-20170313.174111-1-jar-with-dependencies.jar fixes your issue (or at least print out more details)?

On Saturday, 11 March 2017 01:25:15 UTC+1, Andreas Freudenreich wrote:

Hi,

I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:

[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively

[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)

[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)

[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …

[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}

[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …

[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry

[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}

[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started

[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized

[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,

Andreas