we had a working SearchGuard setup with basic auth. After adding LDAP to authc we suddenly got this error:
[2019-05-14T14:18:05,037][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] [126.96.36.199-node-1] Unable to connect to ldapserver ldap.foo.bar:636 due to ElasticsearchException[Empty file path for searchguard.ssl.transport.truststore_filepath]. Try next.
As you can see from the config below we’re not using truststores, but PEM certificates. Any idea why this happens only when we try to use LDAP?
I think the error message is just plain wrong here. We’re refactoring the TLS settings at the moment, so they are consistent for all modules that use TLS.
In your case you should add the root CA PEM certificate that signed the LDAP certificate in the LDAP TLS config like:
Which might or might not be the same as your elasticsearch.yml:
Sorry for the misleading error message.
Thanks a lot for the help!
That setting did “something”, but I can’t say if it’s better or worse. Apparently it still wants a keystore:
java.io.IOException: Invalid keystore format. Try next.
This is strange, maybe I am wrong regarding the version you are using. Is this SG5, SG6 or SG7?
This is the version that’s installed currently: com.floragunn:search-guard-6:6.7.1-24.3
Edit: Elastic runs on 6.7.1
Thanks. Can you please also add the complete stacktrace for this Exception?
Unfortunately there is no stacktrace. Just this one message. The logs above and below don’t seem to be related in any way.
I can send you the logs tomorrow via PM if you think there might be anything in it that helps.
[2019-05-14T15:25:55,624][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] [188.8.131.52-node-1] Unable to connect to ldapserver …:636 due to java.io.IOException: Invalid keystore format. Try next.
Yes, please, it always helps to get the complete picture. You can send a PM, if you feel more comfortable with PGP you can also use our public key for email@example.com:
Apologies, your suggestion to add pemtrustedcas_filepath as a config option does actually work. I copied something else without realising.
Thank you very much for your help!
Glad it works, because I was a bit at a loss regarding the error message and the configuration