[search-guard group] java security exception when running ldap module

Hi,

After some investigation we figured out what the issue was:

The ldap exception regarding the referrals was only a warning, but wasn’t actually related to the issue.

We found that setting “rolename” to “dn” populated the roles array for a user. We had it set to a different value on our test system before - and it worked there (the test system used the ldap module version 5.0.6), but not on the production system (using 5.08 you provided).

We are now investigating the next issue - i.e. authorization works, but only if the mapped role has access to all indices (’*’). Setting it to any subset does not work (the same index pattern is set up in Kibana).

If we cannot get this working I’ll open another email thread.

Thanks a lot for your help on this issue.

Andreas

···

On Mar 23, 2017, at 12:59 AM, SG info@search-guard.com wrote:

Am 22.03.2017 um 22:27 schrieb Andreas Freudenreich andreas.freudenreich@icloud.com:

Hi,
After applying this version I get following in the logs - and elasticsearch shuts down:

[2017-03-22T13:56:48,036][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [ela-coordprd01] caught exception while handling client http traffic, closing connection [id: 0x4bc3e24e, L:/10.93.37.135:9200 - R:/
137.82.5.97:38770]
com.google.common.util.concurrent.ExecutionError: java.lang.ExceptionInInitializerError
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2205) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:481) ~[?:?]
at com.floragunn.searchguard.filter.SearchGuardRestFilter.process(SearchGuardRestFilter.java:99) ~[?:?]
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:203) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.http.HttpServer.dispatchRequest(HttpServer.java:113) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:507) ~[transport-netty4-client-5.1.1.jar:5.1.1]
at com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport.dispatchRequest(SearchGuardSSLNettyHttpServerTransport.java:120) ~[search-guard-ssl-5.1.1-20.jar:5.1.1-20]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) ~[transport-netty4-client-5.1.1.jar:5.1.1]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) [transport-netty4-client-5.1.1.jar:5.1.1]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.ExceptionInInitializerError
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
… 58 more
Caused by: java.security.AccessControlException: access denied (“java.util.PropertyPermission” “" “read,write”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_121]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_121]
at com.unboundid.util.Debug.(Debug.java:166) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
… 58 more
[2017-03-22T13:56:48,037][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [ela-coordprd01] fatal error in thread [Thread-6], exiting
com.google.common.util.concurrent.ExecutionError: java.lang.ExceptionInInitializerError
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2205) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:481) ~[?:?]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) ~[?:?]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) ~[?:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.ExceptionInInitializerError
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
… 58 more
Caused by: java.security.AccessControlException: access denied (“java.util.PropertyPermission” "
” “read,write”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_121]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_121]
at com.unboundid.util.Debug.(Debug.java:166) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
… 58 more

Thanks,
Andreas

On Mar 22, 2017, at 08:53 AM, Search Guard info@search-guard.com wrote:

can you try this one https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-unb-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-unb-20170322.155126-1-jar-with-dependencies.jar

seems to be a problem with referrals

On Monday, 20 March 2017 20:37:55 UTC+1, Andreas Freudenreich wrote:
Hi,
I have installed the linked 5.0.8 version and it gets past the java error now - thanks!
.
Authorization fails, though, with another error:

[2017-03-20T12:30:31,302][WARN ][o.l.r.SearchReferralHandler] Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca
org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name ‘DC=DomainDnsZones,DC=our,DC=domain,DC=ca’

Current authz configuration:
authz:
roles_from_myldap:
enabled: true
authorization_backend:

LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:

  • ead-sdcp10.ourdomain.ca:389
    bind_dn: ‘CN=AS-svcuser,OU=ServiceAccounts,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca’
    password: ‘our_pw’
    rolebase: ‘OU=role,OU=groups,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca’

Filter to search for roles (currently in the whole subtree beneath rolebase)

{0} is substituted with the DN of the user

{1} is substituted with the username

{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

rolesearch: ‘(uniqueMember={0})’

Specify the name of the attribute which value should be substituted with {2} above

userroleattribute: member

Roles as an attribute of the user entry

userrolename: memberOf

The attribute in a role entry containing the name of that role

rolename: distinguishedName

Resolve nested roles transitive (roles which are members of other roles and so on …)

resolve_nested_roles: true
userbase: ‘DC=our,DC=domain,DC=ca’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(samaccountname={0})’

I can perform an ldapsearch successfully with the same bind credentials.

Thanks for any hints,
Andreas

On Monday, 13 March 2017 10:42:50 UTC-7, Search Guard wrote:
can you check if https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.0-8-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.0-8-20170313.174111-1-jar-with-dependencies.jar fixes your issue (or at least print out more details)?

On Saturday, 11 March 2017 01:25:15 UTC+1, Andreas Freudenreich wrote:
Hi,
I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception
java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

Here the startup logs:
[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64
[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers

[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers

[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [aggs-matrix-stats]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [ingest-common]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-expression]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-groovy]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-mustache]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [lang-painless]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [percolator]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [reindex]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty3]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded module [transport-netty4]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [search-guard-5]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService ] [mynode] loaded plugin [x-pack]
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)
[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)
[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule ] Auditlog not available
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] initialized
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node ] [mynode] starting …
[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}
[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists …
[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry
[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService ] [mynode] detected_master

[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}
[2017-03-10T15:32:33,398][INFO ][o.e.n.Node ] [mynode] started
[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node ‘mynode’ initialized
[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception
java.security.AccessControlException: access denied (“java.lang.RuntimePermission” “getClassLoader”)

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,
Andreas


You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/05e25456-b4ef-4666-b6f4-95c8a341289d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8065e858-179a-4fdc-96b3-51b9d864d3d0%40me.com.
For more options, visit https://groups.google.com/d/optout.
Ok, seems there is no quick win solution here :frowning:

Can you provide details about your LDAP server and setup?

  • LDAP vendor and version (i assume AD?), how many ldap servers/replicas?
  • Setup regarding bind_dn and referrals -> “Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca”

Would be great if you can help us tracking this down because currently i cannot reproduce it. Thx.


You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1367FDCB-E4D9-4DC6-BD4F-E8F564822333%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.