Is elk_testuser1:Welcome1
a valid login in ldap1? Or should in theory this be a failed login?
In general: blocks are evaluated one by one, the first who matches, the “type” policy is enforced (i.e allow/forbid) and the evaluation stops.
You can see the history of the evaluation of the access control chain in the “HST” field in the logs.
About the yellow/red index, with localhost looks like you’re asking the node’s opinion about an index (got the index, but couldn’t replicate), and with the other IP you get the cluster’s opinion (I know the index exists, but could not get the data replicated yet). That means, something else is wrong on the transport side or cluster discovery settings.