[search-guard group] java security exception when running ldap module

Hi,

After applying this version I get following in the logs - and elasticsearch shuts down:

[2017-03-22T13:56:48,036][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [ela-coordprd01] caught exception while handling client http traffic, closing connection [id: 0x4bc3e24e, L:/10.93.37.135:9200 - R:/
137.82.5.97:38770]
com.google.common.util.concurrent.ExecutionError: java.lang.ExceptionInInitializerError
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2205) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:481) ~[?:?]
at com.floragunn.searchguard.filter.SearchGuardRestFilter.process(SearchGuardRestFilter.java:99) ~[?:?]
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:203) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.http.HttpServer.dispatchRequest(HttpServer.java:113) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:507) ~[transport-netty4-client-5.1.1.jar:5.1.1]
at com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport.dispatchRequest(SearchGuardSSLNettyHttpServerTransport.java:120) ~[search-guard-ssl-5.1.1-20.jar:5.1.1-20]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) ~[transport-netty4-client-5.1.1.jar:5.1.1]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) [transport-netty4-client-5.1.1.jar:5.1.1]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.ExceptionInInitializerError
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
… 58 more
Caused by: java.security.AccessControlException: access denied (“java.util.PropertyPermission” “" “read,write”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_121]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_121]
at com.unboundid.util.Debug.(Debug.java:166) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
… 58 more
[2017-03-22T13:56:48,037][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [ela-coordprd01] fatal error in thread [Thread-6], exiting
com.google.common.util.concurrent.ExecutionError: java.lang.ExceptionInInitializerError
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2205) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:481) ~[?:?]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) ~[?:?]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) ~[?:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.ExceptionInInitializerError
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
… 58 more
Caused by: java.security.AccessControlException: access denied (“java.util.PropertyPermission” "
” “read,write”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_121]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_121]
at com.unboundid.util.Debug.(Debug.java:166) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
… 58 more

Thanks,

Andreas

···

On Mar 22, 2017, at 08:53 AM, Search Guard info@search-guard.com wrote:

can you try this one https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-unb-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-unb-20170322.155126-1-jar-with-dependencies.jar

seems to be a problem with referrals

On Monday, 20 March 2017 20:37:55 UTC+1, Andreas Freudenreich wrote:

Hi,
I have installed the linked 5.0.8 version and it gets past the java error now - thanks!

.

Authorization fails, though, with another error:

[2017-03-20T12:30:31,302][WARN ][o.l.r.SearchReferralHandler] Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca

org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name ‘DC=DomainDnsZones,DC=our,DC=domain,DC=ca’

Current authz configuration:

authz:

roles_from_myldap:

enabled: true

authorization_backend:

LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

bind_dn: ‘CN=AS-svcuser,OU=ServiceAccounts,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca’

password: ‘our_pw’

rolebase: ‘OU=role,OU=groups,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca’

Filter to search for roles (currently in the whole subtree beneath rolebase)

{0} is substituted with the DN of the user

{1} is substituted with the username

{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

rolesearch: ‘(uniqueMember={0})’

Specify the name of the attribute which value should be substituted with {2} above

userroleattribute: member

Roles as an attribute of the user entry

userrolename: memberOf

The attribute in a role entry containing the name of that role

rolename: distinguishedName

Resolve nested roles transitive (roles which are members of other roles and so on …)

resolve_nested_roles: true

userbase: ‘DC=our,DC=domain,DC=ca’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(samaccountname={0})’

I can perform an ldapsearch successfully with the same bind credentials.

Thanks for any hints,

Andreas

On Monday, 13 March 2017 10:42:50 UTC-7, Search Guard wrote:

can you check if https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-20170313.174111-1-jar-with-dependencies.jar fixes your issue (or at least print out more details)?

On Saturday, 11 March 2017 01:25:15 UTC+1, Andreas Freudenreich wrote:

Hi,

I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:

[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively

[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]

[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]

[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121

[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)

[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)

[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized

[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …

[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}

[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …

[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry

[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}

[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started

[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized

[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception

java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,

Andreas


You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/05e25456-b4ef-4666-b6f4-95c8a341289d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ok, seems there is no quick win solution here :frowning:

Can you provide details about your LDAP server and setup?

- LDAP vendor and version (i assume AD?), how many ldap servers/replicas?
- Setup regarding bind_dn and referrals -> "Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca"

Would be great if you can help us tracking this down because currently i cannot reproduce it. Thx.

···

Am 22.03.2017 um 22:27 schrieb Andreas Freudenreich <andreas.freudenreich@icloud.com>:

Hi,
After applying this version I get following in the logs - and elasticsearch shuts down:

[2017-03-22T13:56:48,036][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [ela-coordprd01] caught exception while handling client http traffic, closing connection [id: 0x4bc3e24e, L:/10.93.37.135:9200 - R:/
137.82.5.97:38770]
com.google.common.util.concurrent.ExecutionError: java.lang.ExceptionInInitializerError
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2205) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:481) ~[?:?]
at com.floragunn.searchguard.filter.SearchGuardRestFilter.process(SearchGuardRestFilter.java:99) ~[?:?]
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:203) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.http.HttpServer.dispatchRequest(HttpServer.java:113) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:507) ~[transport-netty4-client-5.1.1.jar:5.1.1]
at com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport.dispatchRequest(SearchGuardSSLNettyHttpServerTransport.java:120) ~[search-guard-ssl-5.1.1-20.jar:5.1.1-20]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) ~[transport-netty4-client-5.1.1.jar:5.1.1]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) [transport-netty4-client-5.1.1.jar:5.1.1]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.ExceptionInInitializerError
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
... 58 more
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_121]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_121]
at com.unboundid.util.Debug.<clinit>(Debug.java:166) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
... 58 more
[2017-03-22T13:56:48,037][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [ela-coordprd01] fatal error in thread [Thread-6], exiting
com.google.common.util.concurrent.ExecutionError: java.lang.ExceptionInInitializerError
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2205) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:481) ~[?:?]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) ~[?:?]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) ~[?:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.ExceptionInInitializerError
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
... 58 more
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_121]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_121]
at com.unboundid.util.Debug.<clinit>(Debug.java:166) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
... 58 more

Thanks,
Andreas

On Mar 22, 2017, at 08:53 AM, Search Guard <info@search-guard.com> wrote:

can you try this one https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-unb-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-unb-20170322.155126-1-jar-with-dependencies.jar

seems to be a problem with referrals

On Monday, 20 March 2017 20:37:55 UTC+1, Andreas Freudenreich wrote:
Hi,
I have installed the linked 5.0.8 version and it gets past the java error now - thanks!
.
Authorization fails, though, with another error:

[2017-03-20T12:30:31,302][WARN ][o.l.r.SearchReferralHandler] Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca
org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name 'DC=DomainDnsZones,DC=our,DC=domain,DC=ca'

Current authz configuration:
    authz:
      roles_from_myldap:
        enabled: true
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap # NOT FREE FOR COMMERCIAL USE
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - ead-sdcp10.ourdomain.ca:389
            bind_dn: 'CN=AS-svcuser,OU=ServiceAccounts,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca'
            password: 'our_pw'
            rolebase: 'OU=role,OU=groups,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(uniqueMember={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: member
            # Roles as an attribute of the user entry
            userrolename: memberOf
            # The attribute in a role entry containing the name of that role
            rolename: distinguishedName
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'DC=our,DC=domain,DC=ca'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(samaccountname={0})'

I can perform an ldapsearch successfully with the same bind credentials.

Thanks for any hints,
Andreas

On Monday, 13 March 2017 10:42:50 UTC-7, Search Guard wrote:
can you check if https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-20170313.174111-1-jar-with-dependencies.jar fixes your issue (or at least print out more details)?

On Saturday, 11 March 2017 01:25:15 UTC+1, Andreas Freudenreich wrote:
Hi,
I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")

Here the startup logs:
[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64
[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers
...
[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit.. That is not an issue, it just limits possible encryption strength. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers
...
[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)
[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)
[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting ...
[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}
[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists ...
[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry
[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master
...
[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}
[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started
[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node 'mynode' initialized
[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,
Andreas

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/05e25456-b4ef-4666-b6f4-95c8a341289d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8065e858-179a-4fdc-96b3-51b9d864d3d0%40me.com.
For more options, visit https://groups.google.com/d/optout.