LDAP Logins failing with org.ldaptive.OperationException@1008907215::resultCode=PROTOCOL_ERROR

Hello,

Im having trouble logging into Kibana and Elastic (via cURL) - The error I get when trying to login is:

elasticsearchguard-elasticsearchguard-4 | 2018-08-22T01:28:37.902305000Z [2018-08-22T01:28:37,901][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] Unable to connect to ldapserver act-actn-aa1.foobar.com:636 due to [org.ldaptive.OperationException@1008907215::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: act-actn-aa1.foobar.com:636 [Root exception is java.lang.ClassNotFoundException: org.ldaptive.ssl.ThreadLocalTLSSocketFactory], providerException=javax.naming.CommunicationException: act-actn-aa1.foobar.com:636 [Root exception is java.lang.ClassNotFoundException: org.ldaptive.ssl.ThreadLocalTLSSocketFactory]]. Try next.

``

Any help is appreciated.

Thanks

  • Search Guard and Elasticsearch version

ENV ES_VERSION 6.3.2
ENV SG_VERSION “23.0”

  • JVM version and operating system version

Elasticsearch Docker Image - OpenJDK

  • Search Guard configuration files : sg_config.yml

searchguard:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: true
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
ldap:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
pemtrustedcas_filepath: /usr/share/elasticsearch/config/ssl/ldapRootCA.pem
hosts:
- act-actn-aa1.foobar.com:636
- nsw-rsby-aa1.foobar.com:636
- tas-dwpk-aa1.foobar.com:636
userbase: ‘ou=Active Staff,ou=People,dc=foobar,dc=com’
usersearch: ‘(uid={0})’
username_attribute: uid
authz:
ldap:
enabled: true
authorization_backend:
type: ldap
config:
pemtrustedcas_filepath: /usr/share/elasticsearch/config/ssl/ldapRootCA.pem
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- act-actn-aa1.foobar.com:636
- nsw-rsby-aa1.foobar.com:636
- tas-dwpk-aa1.foobar.com:636
userbase: ‘ou=Active Staff,ou=People,dc=foobar,dc=com’
usersearch: ‘(uid={0})’
username_attribute: uid
rolebase: ‘ou=Elastic,ou=Roles,dc=foobar,dc=com’
rolesearch: ‘(memberUid={1})’
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
skip_users:
- kibanaserver
- ‘cn=Michael Jackson,oupeople,o=TEST’
- '/\S
/’

``

  • Elasticsearch log messages on normal level

elasticsearchguard-elasticsearchguard-4 | 2018-08-22T01:28:37.902305000Z [2018-08-22T01:28:37,901][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] Unable to connect to ldapserver act-actn-aa1.foobar.com:636 due to [org.ldaptive.OperationException@1008907215::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: act-actn-aa1.foobar.com:636 [Root exception is java.lang.ClassNotFoundException: org.ldaptive.ssl.ThreadLocalTLSSocketFactory], providerException=javax.naming.CommunicationException: act-actn-aa1.foobar.com:636 [Root exception is java.lang.ClassNotFoundException: org.ldaptive.ssl.ThreadLocalTLSSocketFactory]]. Try next.

This ^^ message repeats for other 2 LDAP servers

kibana-wazuh-kibana-5 | 2018-08-22T02:01:12.002634000Z {“type”:“response”,“@timestamp”:“2018-08-22T02:01:11Z”,“tags”:,“pid”:1,“method”:“post”,“statusCode”:401,“req”:{“url”:“/api/v1/auth/login”,“method”:“post”,“headers”:{“host”:“act-dksn-ls1.foobar.com:5601”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0”,“accept”:“application/json, text/plain, /”,“accept-language”:“en-US,en;q=0.5”,“accept-encoding”:“gzip, deflate”,“referer”:“http://act-dksn-ls1.foobar.com:5601/login?nextUrl=%2F",“content-type”:“application/json;charset=utf-8”,“kbn-version”:“6.3.2”,“content-length”:“57”,“connection”:“keep-alive”,“dnt”:“1”},“remoteAddress”:“10.1.2.12”,“userAgent”:“10.1.2.12”,“referer”:“http://act-dksn-ls1.foobar.com:5601/login?nextUrl=%2F”},“res”:{“statusCode”:401,“responseTime”:286,“contentLength”:9},“message”:"POST /api/v1/auth/login 401 286ms - 9.0B”}

``

  • Other installed Elasticsearch or Kibana plugins, if any

Kibana Plugins (Wazuh 3.5.0)

Well I figured it out.
elastic.co in all their wisdom recommend Java v7/8 YET their containers (elastic 6.3.2) run Oracle Java v10!
This is not supported by SearchGuard and fails with the above errors.

Solution was to rebuild their containers, remove Oracle java and install OpenJDK (v8) via yum command.