LDAP athentication failure sometimes in elk 6.1.2


(sami) #1

Hi,
I’m using ldap authentication, and i can login on kibana in the begining but after half a day , the authentication fail for the same login-password, and restarting elasticsearch solve the problem until it happens again.

By doing a TCPDUMP no packet is sent to the windows server.

I’m using readonly rest pro 1.16.15 with elk 6.1.2.
is there some timeout or any tweak that can solve this problem?

Best Regards
Sami


(Simone Scarduzio) #2

Hi @slimsami!
Could you please try to set the cache ttl to zero? cache_ttl_in_sec


(sami) #3

[ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed. LDAPSearchException: An error occurred while attempting to connect to server 10.XXX.XXX.XXX:3268: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage=‘An error occurred while attempting to establish a connection to server /10.XXX.XXX.XXX:3268: AccessControlException(message=‘access denied (“java.net.SocketPermission” “10.XXX.XXX.XXX:3268” “connect,resolve”)’, trace=‘checkPermission(AccessControlContext.java:472) / checkPermission(AccessController.java:884) / checkPermission(SecurityManager.java:549) / checkConnect(SecurityManager.java:1051) / connect(Socket.java:584) / run(ConnectThread.java:146)’, revision=24201)’)


(Eric Garza) #4

Hello,

I am also having this problem using Elastic v6.2.1 and ROR ES v1.16.16. My log entry matches slimsami’s as well. I have set cache ttl to zero and restarted elasticsearch, but will have to wait to see if it reoccurs.

Thanks,
Eric


(Eric Garza) #5

Unfortunately, I did need to restart elasticsearch again due to LDAP failures.


(sami) #6

Hi,
Thanks for the tip, I changed the cache ttl to zero and I’m waiting to see if it fix the problem.

Sami


(Simone Scarduzio) #7

This issue is currently under investigation. I have an idea, will implement it as soon as I get some confirmation feedback from the cache TTL = 0 workaround.


(sami) #8

The workaround seems to be working, the error didn’t reoccurs. Thanks


(Simone Scarduzio) #9

Thanks @slimsami, I know what to do now :slight_smile:


(Eric Garza) #10

The workaround does not appear to have resolved this for me, I still need to restart the service multiple times a day. Since it did work for sami, perhaps there is also another issue?


(Eric Garza) #11

One other note, not sure if it matters, but it is configured to connect to two different LDAPs, sometimes one will stop working and the other will continue working fine for a while.


(Simone Scarduzio) #12

@egarza is your stack trace identical to @slimsami’s?


(Eric Garza) #14

Actually, I took another look at today’s errors and it is slightly different at the end:

checkConnect(SecurityManager.java:1051) / connect(Socket.java:584) / connect(SSLSocketImpl.java:673) / connect(SetEnabledProtocolsSocket.java:125) / run(ConnectThread.java:146)’, revision=24201)’)

But everything else before that is the same.


(Eric Garza) #15

Possibly the same as Issue #312.


(sami) #16

Hi again, thin morning i’v got the same error again, it just took more time than before the modification.


(Simone Scarduzio) #17

Guys have you tried the builds I linked in #312?


(sami) #18

Sorry i can’t try it now the package seems to need elk in 6.2.1 or 6.2.2 and i’m still in 6.1.2.


(Simone Scarduzio) #19

No problem @slimsami here you are

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.17-pre2/readonlyrest-1.16.17-pre2_es6.1.2.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20180228/eu-west-1/s3/aws4_request&X-Amz-Date=20180228T164842Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=29be60eb1e81033fa5f661df1fe79daca353774535413b9256d6d2026928d7ca


(Eric Garza) #20

Hey @sscarduzio, I have updated ROR and things seem to be going good so far. I will keep an eye on it and see if any more errors occur. Thank you!