Security manager fails sometimes

Elasticsearch version: 7.17.12

Server OS version: Rocky Linux release 8.8 (Green Obsidian)

Java version: openjdk version “” 2023-08-24

Search Guard version: 1.3.0-es-7.17.12

Describe the issue:
When I’m doing many requests in parallels, some of them fails, and in the log, I’m getting the following stack:

[2023-09-27T16:14:43,273][ERROR][c.f.s.a.b.RequestAuthenticationProcessor] [XXX-1] Error while authenticating AuthCredentials [username=XXXX, subUserName=null, authDomainInfo=AuthDomainInfo [authDomainId=null, authenticatorType=trusted_origin, authBackend
Type=null], password=null, nativeCredentials=null, backendRoles=[], searchGuardRoles=[], complete=true, authzComplete=false, redirectUri=null, attributes={}, structuredAttributes={}, claims={}, attributesForUserMapping={credentials={user_name=n/a}, request
={headers=org.elasticsearch.http.netty4.Netty4HttpRequest$HttpHeadersMap@771fcdd5, direct_ip_address=XXXX, originating_ip_address=XXX}}]
{ldap_rc=91 (connect error)}
com.floragunn.searchguard.authc.AuthenticatorUnavailableException: Error while creating connection to LDAP server
LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server XXXX:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to
 establish a connection to server XXXX/XXX:636:  AccessControlException(access denied ("" "XXXX:636" "connect,resolve")), ldapSDKVersion=5.0.1, revision=3290ee33d4aa17df1aadb4d814d6534375f395a
        at com.floragunn.searchguard.enterprise.auth.ldap.LDAPConnectionManager.getConnection( ~[dlic-search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
        at com.floragunn.searchguard.enterprise.auth.ldap.LDAPAuthenticationBackend.searchGroups( ~[dlic-search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
        at com.floragunn.searchguard.enterprise.auth.ldap.LDAPAuthenticationBackend.getUserInformation( ~[dlic-search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
        at com.floragunn.searchguard.authc.base.StandardAuthenticationDomain.authenticate( ~[search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
        at com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor.callAuthcBackends( [search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
Caused by: access denied ("" "XXXX:636" "connect,resolve")
        at ~[?:?]
        at ~[?:?]
        at java.lang.SecurityManager.checkPermission( ~[?:?]
        at java.lang.SecurityManager.checkConnect( ~[?:?]
        at ~[?:?]
        at ~[?:?]
        at ~[unboundid-ldapsdk-5.0.1.jar:5.0.1]

The LDAP connection configuration is:

          trust_all: false
          - "TLSv1.2"
          - "TLSv1.3"
        - "XXXX:636"
            min_size: 5
            max_size: 5
        bind_dn: "XXXX"
        password: "XXXX"
          by_attribute: "sAMAccountName"
        base_dn: "XXXX"
        base_dn: "XXX"
          enabled: true
        role_name_attribute: "dn"

I don’t understand why in some case the security manager fails, but not all the time. Look like a concurency bug for me.

It’s critical, it prevent from upgrading to flx and I don’t see any work around.

Hi @fbacchella

What IAM tool do you use for LDAP authentication?

It’s a plain ActiveDirectory. But the exceptions is thrown from a SecurityManager, so I don’t think that will change anything.

No answer about my problem ?

Could you share your elasticsearch.yml? Please change or remove sensitive details.
Do you know approximately how many requests in parallel you had?

I’m a paying client. So is it possible to open a private ticket ?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

This is being worked on. You can track the progress at LDAP connection pool fails with access denied ("") when scaling up (#256) · Issues · search-guard / Search Guard Suite Enterprise · GitLab