Configure LDAP Configuration is not working


(sukesh) #1

Hi,
I am getting the following error while trying to authenticate using LDAP user.

[2017-10-24T12:01:52,296][INFO ][o.e.p.r.a.ACL ] FORBIDDEN by default req={ ID:1372249213-1612331731#61, TYP:MainRequest, CGR:N/A, USR:gauss, BRS:true, ACT:cluster:monitor/main, OA:52.36.179.205, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:Accept,Accept-Encoding,Accept-Language,Authorization,Cache-Control,Connection,content-length,Host,Postman-Token,User-Agent,Via,X-Forwarded-For, HIS:[Accept requests from users in group team1 on index1->[groups->false]], [Accept requests to index1 from users with valid LDAP credentials, belonging to LDAP group 'team1'->[ldap_authorization->false, ldap_authentication->true, indices->true]] }

I tried with an online test LDAP Server - http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
LDAP configuration in elasticsearch.yml

readonlyrest:
    enable: true
    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

    access_control_rules:
    - name: Accept requests to index1 from users with valid LDAP credentials, belonging to LDAP group 'team1'
      ldap_authentication: "ldap1"
      ldap_authorization:
        name: "ldap1"                                       # ldap name from 'ldaps' section
        groups: ["mathematicians"]                    # group within 'ou=Groups,dc=example,dc=com'
      indices: ["test_index1"]

    ldaps:

    - name: ldap1
      host: "ldap.forumsys.com"
      port: 389                                                 # default 389
      ssl_enabled: false                                        # default true
      ssl_trust_all_certs: true                                 # default false
      bind_dn: "cn=read-only-admin,dc=example,dc=com"           # skip for anonymous bind
      bind_password: "password"                                 # skip for anonymous bind
      search_user_base_DN: "dc=example,dc=com"
      user_id_attribute: "uid"                                  # default "uid"
      search_groups_base_DN: "ou=mathematicians,dc=example,dc=com"
      unique_member_attribute: "uniqueMember"                   # default "uniqueMember"
      connection_pool_size: 10                                  # default 30
      connection_timeout_in_sec: 10                             # default 1
      request_timeout_in_sec: 10                                # default 1
      cache_ttl_in_sec: 0                                     # default 0 - cache disabled

(Simone Scarduzio) #2

So @sukeshss you said you resolved the issue in GitHub. Can you edit your settings sample and make it work, so it serves as documentation for others?

Thanks!