SearchGuard Active Directory Not able to sync user

Hi,

I have followed the Document

https://github.com/floragunncom/search-guard-docs/blob/master/ldap.md

step by step i am using latest ElasticSearch version with latest Search-guard .I have configured sg_config.yml but when i restarted Elasticsearch it not giving any logs about Active directory connected on not also no any logs i am getting to know what error i having

please find Details here

searchguard_demo.log (117 KB)

sg_config.yml (9.11 KB)

Seems you did not install the LDAP module:

I have put dlic-search-guard-authbackend-ldap-5.0-7-jar-with-dependencies.jar in /usr/share/elasticsearch/plugins/search-guard-5 and re-start Elasticsearch .

I am using 5.5.0 version of elasticsearcg with searchguard version

5.5.0-14 ,please guide me where i was wrong

Is this Version Issues?

The LDAP module is either not installed or not configured. If the module is active, you will see a message like this in the logfile during startup:

If i remove jar file from Folder i am getting this Error

[2017-07-13T09:47:55,464][ERROR][c.f.s.a.BackendRegistry ] Unable to initialize AuthorizationBackend java.lang.ClassNotFoundException: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend due to roles_from_myldap

[2017-07-13T09:47:55,465][ERROR][c.f.s.a.BackendRegistry ] Unable to initialize auth domain java.lang.ClassNotFoundException: com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend due to ldap

It means Jar file loading by elasticsearch,but wheen i put jar file i cant get any information wheather its connected Ad or not

this is jar version dlic-search-guard-authbackend-ldap-5.0-7-jar-with-dependencies.jar

But i am getting this in log file when i restart elasticsearch

LICENSE NOTICE Search Guard

If you use one or more of the following features in production

make sure you have a valid Search Guard license

(See Licensing | Search Guard Community, Enterprise and Compliance Edition)

• Kibana Multitenancy

• LDAP authentication/authorization

• Active Directory authentication/authorization

• REST Management API

• JSON Web Token (JWT) authentication/authorization

• Kerberos authentication/authorization

• Document- and Fieldlevel Security (DLS/FLS)

• Auditlogging

In case of any doubt mail to sales@floragunn.com

Yes, that’s the general licens information we print out. I think the error is due to a misconfiguration in sg_config.

You have set the “challenge” flag to false in the ldap authentication domain (which comes first with order set to 1), and have set the challenge flag to true for the basic_internal_auth_domain (which comes second with order set to 4).

This means that the LDAP module expects pre-authenticated requests, and will not challenge the user for credentials when they are missing. Thus, the Basic Authentication popup is triggered by the basic_internal_auth_domain, not the LDAP one, means that in your case LDAP is skipped.

If you keep the order of the authenticators as it is now, set the challenge flag to true for LDAP, and set it to false for basic_internal_auth_domain. That should work.

After Changes in sg_config.yml ,challenge flag to true for ldap and false everywhere in file

then i have followed ./sgadmin_demo.sh command to update Changes

after that if i see the logs i get nothing related to Active directory.Please guide me how to trace this Error

1920×1080 136 KB

If you’re using debs or rpms, then you probably won’t see the license information, since stdout is probably not redirected.
However, with the changed config, what happens now when you try to login? Also you can set the log level to debug by adding:

logger.fg.name = com.floragunn

logger.fg.level = debug

In log4j2.properties

Sorry, But After enabling searchguard in debug mode also not able to trace anything related with Active Directory,Can you please Confirm that whether we

have tested with Latest version of ElasticSearch and searchguard.

Since i dont even trigger anything related to Active Directory.I am sure Configuration was fine

Sorry, But After enabling searchguard in debug mode also not able to trace anything related with Active Directory,Can you please Confirm that whether we

have tested with Latest version of ElasticSearch and searchguard.

Since i dont even trigger anything related to Active Directory.I am sure Configuration was fine

I have also triyed with tar Version of elasticsearch elasticsearch-5.5.0 but i am still getting same Error

please guide me how to solve this

How do i know whether Module is installed or not,because if i remove .jar it giving me exception so,please suggest me the IDea how to make Ad integration sucess

now i am getting this message on console

Ok, good, that means the module is loaded and the config is picked up. Of course you don’t see LDAP users in the internal user database since these are two completely different things, see also here: Redirecting to Google Groups

You don’t see or manage LDAP users in Search Guard directly, and there’s no syncing involved of any kind. The whole point of LDAP is to have one central place to administer users and groups.