I’m using SearchGuard with ES 5.2.2 mostly successfully. I’m trying to eliminate a warning that appears in the console output.
The warning is:
[2017-07-05T10:33:09,020][WARN ][o.l.r.SearchReferralHandler] Could not follow referral to ldap://ForestDnsZones.hidden.hidden.local/DC=ForestDnsZones,DC=hidden,DC=hidden,DC=local org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0]; remaining name 'DC=ForestDnsZones,DC=hidden,DC=hidden,DC=local' ... Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0]
I only get this print out because I’ve used the 5.0.8 version of the enterprise extension (found in another thread here).
Why does this warning occur? To me its strange because the ldap config is, otherwise, working well. Here is my ldap config.
ldap:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
bind_dn: CN=LdapUserReader,OU=Comptes de services,OU=hidden,DC=hidden,DC=hidden,DC=local
password: hidden
userbase: ‘DC=hidden,DC=hidden,DC=local’
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
enabled: true
authorization_backend:
LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
bind_dn: CN=LdapUserReader,OU=Comptes de services,OU=hidden,DC=hidden,DC=hidden,DC=local
password: hidden
rolebase: ‘ou=Groupes de sécurité,ou=hidden,DC=hidden,DC=hidden,DC=local’
Filter to search for roles (currently in the whole subtree beneath rolebase)
{0} is substituted with the DN of the user
{1} is substituted with the username
{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
The attribute in a role entry containing the name of that role, Default is “name”.
Can also be “dn” to use the full DN as rolename.
rolename: cn
Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘DC=hidden,DC=hidden,DC=local’
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
- ‘cn=Michael Jackson,ou*people,o=TEST’
- ‘/\S*/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …
``