SearchGuard Active Directory Not able to sync user

Hi,

I have followed the Document

https://github.com/floragunncom/search-guard-docs/blob/master/ldap.md

step by step i am using latest ElasticSearch version with latest Search-guard .I have configured sg_config.yml but when i restarted Elasticsearch it not giving any logs about Active directory connected on not also no any logs i am getting to know what error i having

please find Details here

searchguard_demo.log (117 KB)

sg_config.yml (9.11 KB)

Seems you did not install the LDAP module:

···

On Thursday, July 13, 2017 at 10:53:24 AM UTC+2, Vikash Singh wrote:

Hi,

I have followed the Document

https://github.com/floragunncom/search-guard-docs/blob/master/ldap.md

step by step i am using latest ElasticSearch version with latest Search-guard .I have configured sg_config.yml but when i restarted Elasticsearch it not giving any logs about Active directory connected on not also no any logs i am getting to know what error i having

please find Details here

I have put dlic-search-guard-authbackend-ldap-5.0-7-jar-with-dependencies.jar in /usr/share/elasticsearch/plugins/search-guard-5 and re-start Elasticsearch .

I am using 5.5.0 version of elasticsearcg with searchguard version

5.5.0-14 ,please guide me where i was wrong

Is this Version Issues?

The LDAP module is either not installed or not configured. If the module is active, you will see a message like this in the logfile during startup:

···

Searchguard LDAP is not free software

for commercial use in production.

You have to obtain a license if you

use it in production.


  • Check that the jar file is placed correctly and is readable by the ES process.

  • Make sure to update your changed sg_config via sgadmin

On Thursday, July 13, 2017 at 11:01:11 AM UTC+2, Vikash Singh wrote:

I have put dlic-search-guard-authbackend-ldap-5.0-7-jar-with-dependencies.jar in /usr/share/elasticsearch/plugins/search-guard-5 and re-start Elasticsearch .

I am using 5.5.0 version of elasticsearcg with searchguard version

5.5.0-14 ,please guide me where i was wrong

If i remove jar file from Folder i am getting this Error

[2017-07-13T09:47:55,464][ERROR][c.f.s.a.BackendRegistry ] Unable to initialize AuthorizationBackend java.lang.ClassNotFoundException: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend due to roles_from_myldap

[2017-07-13T09:47:55,465][ERROR][c.f.s.a.BackendRegistry ] Unable to initialize auth domain java.lang.ClassNotFoundException: com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend due to ldap

It means Jar file loading by elasticsearch,but wheen i put jar file i cant get any information wheather its connected Ad or not

this is jar version dlic-search-guard-authbackend-ldap-5.0-7-jar-with-dependencies.jar

But i am getting this in log file when i restart elasticsearch

LICENSE NOTICE Search Guard

If you use one or more of the following features in production

make sure you have a valid Search Guard license

(See https://floragunn.com/searchguard-validate-license)

  • Kibana Multitenancy

  • LDAP authentication/authorization

  • Active Directory authentication/authorization

  • REST Management API

  • JSON Web Token (JWT) authentication/authorization

  • Kerberos authentication/authorization

  • Document- and Fieldlevel Security (DLS/FLS)

  • Auditlogging

In case of any doubt mail to sales@floragunn.com

···

###################################

Yes, that’s the general licens information we print out. I think the error is due to a misconfiguration in sg_config.

You have set the “challenge” flag to false in the ldap authentication domain (which comes first with order set to 1), and have set the challenge flag to true for the basic_internal_auth_domain (which comes second with order set to 4).

This means that the LDAP module expects pre-authenticated requests, and will not challenge the user for credentials when they are missing. Thus, the Basic Authentication popup is triggered by the basic_internal_auth_domain, not the LDAP one, means that in your case LDAP is skipped.

If you keep the order of the authenticators as it is now, set the challenge flag to true for LDAP, and set it to false for basic_internal_auth_domain. That should work.

···

On Thursday, July 13, 2017 at 11:52:41 AM UTC+2, Vikash Singh wrote:

But i am getting this in log file when i restart elasticsearch

LICENSE NOTICE Search Guard

If you use one or more of the following features in production

make sure you have a valid Search Guard license

(See https://floragunn.com/searchguard-validate-license)

  • Kibana Multitenancy
  • LDAP authentication/authorization
  • Active Directory authentication/authorization
  • REST Management API
  • JSON Web Token (JWT) authentication/authorization
  • Kerberos authentication/authorization
  • Document- and Fieldlevel Security (DLS/FLS)
  • Auditlogging

In case of any doubt mail to sales@floragunn.com

###################################

After Changes in sg_config.yml ,challenge flag to true for ldap and false everywhere in file

then i have followed ./sgadmin_demo.sh command to update Changes

after that if i see the logs i get nothing related to Active directory.Please guide me how to trace this Error

If you’re using debs or rpms, then you probably won’t see the license information, since stdout is probably not redirected.
However, with the changed config, what happens now when you try to login? Also you can set the log level to debug by adding:

logger.fg.name = com.floragunn

logger.fg.level = debug

In log4j2.properties

···

On Thursday, July 13, 2017 at 12:39:37 PM UTC+2, Vikash Singh wrote:

After Changes in sg_config.yml ,challenge flag to true for ldap and false everywhere in file

then i have followed ./sgadmin_demo.sh command to update Changes

after that if i see the logs i get nothing related to Active directory.Please guide me how to trace this Error

Sorry, But After enabling searchguard in debug mode also not able to trace anything related with Active Directory,Can you please Confirm that whether we

have tested with Latest version of ElasticSearch and searchguard.

Since i dont even trigger anything related to Active Directory.I am sure Configuration was fine

···

On Thu, Jul 13, 2017 at 4:13 PM, Jochen Kressin jkressin@floragunn.com wrote:

If you’re using debs or rpms, then you probably won’t see the license information, since stdout is probably not redirected.
However, with the changed config, what happens now when you try to login? Also you can set the log level to debug by adding:

logger.fg.name = com.floragunn

logger.fg.level = debug

In log4j2.properties

On Thursday, July 13, 2017 at 12:39:37 PM UTC+2, Vikash Singh wrote:

After Changes in sg_config.yml ,challenge flag to true for ldap and false everywhere in file

then i have followed ./sgadmin_demo.sh command to update Changes

after that if i see the logs i get nothing related to Active directory.Please guide me how to trace this Error

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/3kaRbjI5ze4/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ae5f44ce-b9e4-4b2f-b2f1-07c4d116b5f9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Best Regards

VikashSingh

Bizrunttime ITServices

Sorry, But After enabling searchguard in debug mode also not able to trace anything related with Active Directory,Can you please Confirm that whether we

have tested with Latest version of ElasticSearch and searchguard.

Since i dont even trigger anything related to Active Directory.I am sure Configuration was fine

I have also triyed with tar Version of elasticsearch elasticsearch-5.5.0 but i am still getting same Error

please guide me how to solve this

How do i know whether Module is installed or not,because if i remove .jar it giving me exception so,please suggest me the IDea how to make Ad integration sucess

now i am getting this message on console

···

Searchguard LDAP is not free software

for commercial use in production.

You have to obtain a license if you

use it in production.


But i tested with this _searchguard/api/configuration/internalusers ,and i cant see our Ad user their

Can ,you please guide how to View user

Ok, good, that means the module is loaded and the config is picked up. Of course you don’t see LDAP users in the internal user database since these are two completely different things, see also here: https://groups.google.com/forum/#!topic/search-guard/-Ba7Gz74Iwk

You don’t see or manage LDAP users in Search Guard directly, and there’s no syncing involved of any kind. The whole point of LDAP is to have one central place to administer users and groups.

···

On Thursday, July 13, 2017 at 3:37:05 PM UTC+2, Vikash Singh wrote:

now i am getting this message on console


Searchguard LDAP is not free software

for commercial use in production.

You have to obtain a license if you

use it in production.


But i tested with this _searchguard/api/configuration/internalusers ,and i cant see our Ad user their

Can ,you please guide how to View user