LDAP issues

Can you provide the elasticsearch log please ?

···

On Friday, July 10, 2015 at 7:23:54 PM UTC+2, Evan Bradham wrote:

I am trying to get LDAP auth working and having no success. I feel like I missing something that should likely be obvious. Can you help out? Thanks.

Note that *'s were added to obfuscate.

Here is my .yml configuration:

searchguard.check_for_root: false

searchguard.key_path: /etc/searchguard

searchguard.rewrite_get_as_search: true

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator

searchguard.authentication.ldap.host: [“ldap.***.edu:389”]

searchguard.authentication.ldap.ldaps.ssl.enabled: false

searchguard.authentication.ldap.ldaps.starttls.enabled: false

searchguard.authentication.ldap.userbase: ou=People,o=***.edu

searchguard.authentication.ldap.usersearch: (uid={0})

searchguard.authentication.ldap.username_attribute: uid

``

Here is my curl test with results:

curl -u user -v -XGET ‘http://***.***.***.***:9200/_cluster/health?pretty=true’

``

Enter host password for user ‘user’:

  • Hostname was NOT found in DNS cache
  • Trying ***.***.***.***…
  • Connected to .***.***. (***.***.***.***) port 9200 (#0)
  • Server auth using Basic with user ‘user’

GET /_cluster/health?pretty=true HTTP/1.1

Authorization: Basic ZWJyYWRoYW06czljOWRUcnRNWDBF

User-Agent: curl/7.35.0

Host: ***.***.***.***:9200

Accept: /

< HTTP/1.1 500 Internal Server Error

< Content-Type: application/json; charset=UTF-8

< Content-Length: 245

<

{

“error” : "AuthException[com.floragunn.searchguard.authentication.AuthException: No user user or wrong password (digest: plain/none)]; nested: AuthException[No user user or wrong password (digest: plain/none)]; ",

“status” : 500

}

  • Connection #0 to host .***.***. left intact

I am using the basic ACL from the installation guide:

curl -XPUT '[http://localhost:9200/searchguard/ac/ac](http://localhost:9200/searchguard/ac/ac)' -d '{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
        "filters_bypass": [],
        "filters_execute": []
     },
     {
           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute": []
     }
     ]
}'

``