LDAP certificate issue

Hi,

Searchguard is cool. Thanks.

Have it working great with basic auth, and now beginning to test kerberos + ldap.

Does “unable to find valid certification path to requested target” mean anything to anyone here?

The exception occurs during setup of the connection to the ldap server (TLSv1) using the 2.4-7 backend, after TLSv1 protocol has been agreed.

[2017-05-05 11:31:40,119][DEBUG][com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend] Unable to connect to ldapserver due to [org.ldaptive.provider.ConnectionException@329752164::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: redacted.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Is there any way to configure the searchguard ldap authorization section to accept the certificate without verification? Or any suggestions of another solution?

Yes, I understand a license is required for the ldap and kerberos backends.

Thanks again,

Rob.

Can you provide your elasticsearch.yml and sg_config.yml?

···

Am 05.05.2017 um 16:06 schrieb Rob Fuller <fullergalway@gmail.com>:

Hi,

Searchguard is cool. Thanks.

Have it working great with basic auth, and now beginning to test kerberos + ldap.

Does "unable to find valid certification path to requested target" mean anything to anyone here?

The exception occurs during setup of the connection to the ldap server (TLSv1) using the 2.4-7 backend, after TLSv1 protocol has been agreed.

[2017-05-05 11:31:40,119][DEBUG][com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend] Unable to connect to ldapserver due to [org.ldaptive.provider.ConnectionException@329752164::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: redacted.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Is there any way to configure the searchguard ldap authorization section to accept the certificate without verification? Or any suggestions of another solution?

Yes, I understand a license is required for the ldap and kerberos backends.

Thanks again,
Rob.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6ad90920-5865-40af-8b31-626f2ac8a19c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks @SG

I was able to replicate the problem in ldapsearch now, so let me follow up first with the AD team. Essentially we are having the problem described in this stackoverflow thread:

The workaround for ldapsearch, as answered on stackoverflow, is to include this line in the ldap.conf file:

TLS_REQCERT ALLOW

From what I can see, there is no corresponding setting for searchguard ldap configuration?

Thanks again,

Rob.

···

On Friday, May 5, 2017 at 3:18:21 PM UTC+1, Search Guard wrote:

Can you provide your elasticsearch.yml and sg_config.yml?

Am 05.05.2017 um 16:06 schrieb Rob Fuller fuller...@gmail.com:

Hi,

Searchguard is cool. Thanks.

Have it working great with basic auth, and now beginning to test kerberos + ldap.

Does “unable to find valid certification path to requested target” mean anything to anyone here?

The exception occurs during setup of the connection to the ldap server (TLSv1) using the 2.4-7 backend, after TLSv1 protocol has been agreed.

[2017-05-05 11:31:40,119][DEBUG][com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend] Unable to connect to ldapserver due to [org.ldaptive.provider.ConnectionException@329752164::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: redacted.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Is there any way to configure the searchguard ldap authorization section to accept the certificate without verification? Or any suggestions of another solution?

Yes, I understand a license is required for the ldap and kerberos backends.

Thanks again,

Rob.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6ad90920-5865-40af-8b31-626f2ac8a19c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.