LDAP Auth: After change user password not authorized

Damir · August 23, 2020, 9:27pm

Hi guys,

We are using ES and Kibana 7.4.2 with RoR plugins [1.19.1 for elastic] and [1.19.3 for kibana], with confiured LDAP connector:
<…>
- name: “LDAP Primary Secure”
host: “<host.domain>”
port: 636
ssl_enabled: true
ssl_trust_all_certs: true
bind_dn: “<bind_dn path>”
bind_password: “<bind_dn pass>”
search_user_base_DN: “OU=Accounts,DC=domain,DC=com”
user_id_attribute: “sAMAccountName”
search_groups_base_DN: “”
unique_member_attribute: “member”
connection_pool_size: 80
connection_timeout_in_sec: 20
request_timeout_in_sec: 15
cache_ttl_in_sec: 80
group_name_attribute: “cn”

The issue is - when user changing password, he cannot login to kibana, unless he delete cookies in browser. I believe it’s not the issue with the connector itself, it should be more related with kibana plugin. Can you please provide some advise on this issue?

sscarduzio · August 25, 2020, 12:09pm

Hi Damir,

Thanks for reporting this.

If you are a Enterprise user, please send me a direct message and I will flag your user name so your support request gets the right priority.

In the meantime, can you detail a bit more the use case? i.e.

log in Kibana with password1
change LDAP password to password2
logout from Kibana
Attempt to login again using password2 (what error message do you see in the browser, or in Elasticsearch log?)
Attempt to login again using password1 (does it succeed?)

Damir · October 13, 2020, 9:04pm

Hi Simone,

I’m sorry for delay, here is the message in browser after mentioned actions:
{“statusCode”:400,“error”:“Bad Request”,“message”:"[undefined] Forbidden., with { due_to={ 0=“OPERATION_NOT_ALLOWED” } } :: {“path”:"/.kibana/_search",“query”:{“size”:1000,“from”:0,“rest_total_hits_as_int”:true},“body”:"{\“seq_no_primary_term\”:true,\“query\”:{\“bool\”:{\“filter\”:[{\“bool\”:{\“should\”:[{\“bool\”:{\“must\”:[{\“term\”:{\“type\”:\“space\”}}],\“must_not\”:[{\“exists\”:{\“field\”:\“namespace\”}}]}}],\“minimum_should_match\”:1}}]}},\“sort\”:[{\“space.name.keyword\”:{\“unmapped_type\”:\“keyword\”}}]}",“statusCode”:401,“response”:"{\“error\”:{\“root_cause\”:[{\“reason\”:\“Forbidden. \”,\“due_to\”:[\“OPERATION_NOT_ALLOWED\”]}],\“reason\”:\“Forbidden.\”,\“due_to\”:[\“OPERATION_NOT_ALLOWED\”],\“status\”:401}}",“wwwAuthenticateDirective”:“Basic”}"}

And the login is possible only after clear the cookies.

sscarduzio · October 14, 2020, 2:15pm

OK now we delete the ror cookie every time someone presses “submit”, so we go to POST /login with a clean slate. Will hand you the build privately.