[search-guard group] LDAP issues

It looks (from the error message) like that the SettingsBasedAuthenticator is used instead of the LDAP server.

As Simon said, can you please post the logs (on debug level)


Am 10.07.2015 um 19:23 schrieb Evan Bradham <ebradham@gmail.com>:

I am trying to get LDAP auth working and having no success. I feel like I missing something that should likely be obvious. Can you help out? Thanks.

Note that *'s were added to obfuscate.

Here is my .yml configuration:
searchguard.check_for_root: false
searchguard.key_path: /etc/searchguard
searchguard.rewrite_get_as_search: true

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator

searchguard.authentication.ldap.host: ["ldap.***.edu:389"]
searchguard.authentication.ldap.ldaps.ssl.enabled: false
searchguard.authentication.ldap.ldaps.starttls.enabled: false

searchguard.authentication.ldap.userbase: ou=People,o=***.edu
searchguard.authentication.ldap.usersearch: (uid={0})
searchguard.authentication.ldap.username_attribute: uid

Here is my curl test with results:
curl -u user -v -XGET 'http://***.***.***.***:9200/_cluster/health?pretty=true'

Enter host password for user 'user':
* Hostname was NOT found in DNS cache
* Trying ***.***.***.***...
* Connected to ***.***.***.*** (***.***.***.***) port 9200 (#0)
* Server auth using Basic with user 'user'
> GET /_cluster/health?pretty=true HTTP/1.1
> Authorization: Basic ZWJyYWRoYW06czljOWRUcnRNWDBF
> User-Agent: curl/7.35.0
> Host: ***.***.***.***:9200
> Accept: */*
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json; charset=UTF-8
< Content-Length: 245
  "error" : "AuthException[com.floragunn.searchguard.authentication.AuthException: No user user or wrong password (digest: plain/none)]; nested: AuthException[No user user or wrong password (digest: plain/none)]; ",
  "status" : 500
* Connection #0 to host ***.***.***.*** left intact

I am using the basic ACL from the installation guide:
curl -XPUT 'http://localhost:9200/searchguard/ac/ac' -d '{
    "acl": [
        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
        "filters_bypass": ,
           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
           "filters_bypass": ["*"],

You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bf7cf07-c36f-45ab-aad1-d57aec29f13f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.