LDAP Auth: After change user password not authorized

Hi guys,

We are using ES and Kibana 7.4.2 with RoR plugins [1.19.1 for elastic] and [1.19.3 for kibana], with confiured LDAP connector:
- name: “LDAP Primary Secure”
host: “<host.domain>”
port: 636
ssl_enabled: true
ssl_trust_all_certs: true
bind_dn: “<bind_dn path>”
bind_password: “<bind_dn pass>”
search_user_base_DN: “OU=Accounts,DC=domain,DC=com”
user_id_attribute: “sAMAccountName”
search_groups_base_DN: “”
unique_member_attribute: “member”
connection_pool_size: 80
connection_timeout_in_sec: 20
request_timeout_in_sec: 15
cache_ttl_in_sec: 80
group_name_attribute: “cn”

The issue is - when user changing password, he cannot login to kibana, unless he delete cookies in browser. I believe it’s not the issue with the connector itself, it should be more related with kibana plugin. Can you please provide some advise on this issue?

Hi Damir,

Thanks for reporting this.

If you are a Enterprise user, please send me a direct message and I will flag your user name so your support request gets the right priority.

In the meantime, can you detail a bit more the use case? i.e.

  1. log in Kibana with password1
  2. change LDAP password to password2
  3. logout from Kibana
  4. Attempt to login again using password2 (what error message do you see in the browser, or in Elasticsearch log?)
  5. Attempt to login again using password1 (does it succeed?)

Hi Simone,

I’m sorry for delay, here is the message in browser after mentioned actions:
{“statusCode”:400,“error”:“Bad Request”,“message”:"[undefined] Forbidden., with { due_to={ 0=“OPERATION_NOT_ALLOWED” } } :: {“path”:"/.kibana/_search",“query”:{“size”:1000,“from”:0,“rest_total_hits_as_int”:true},“body”:"{\“seq_no_primary_term\”:true,\“query\”:{\“bool\”:{\“filter\”:[{\“bool\”:{\“should\”:[{\“bool\”:{\“must\”:[{\“term\”:{\“type\”:\“space\”}}],\“must_not\”:[{\“exists\”:{\“field\”:\“namespace\”}}]}}],\“minimum_should_match\”:1}}]}},\“sort\”:[{\“space.name.keyword\”:{\“unmapped_type\”:\“keyword\”}}]}",“statusCode”:401,“response”:"{\“error\”:{\“root_cause\”:[{\“reason\”:\“Forbidden. \”,\“due_to\”:[\“OPERATION_NOT_ALLOWED\”]}],\“reason\”:\“Forbidden.\”,\“due_to\”:[\“OPERATION_NOT_ALLOWED\”],\“status\”:401}}",“wwwAuthenticateDirective”:“Basic”}"}

And the login is possible only after clear the cookies.

OK now we delete the ror cookie every time someone presses “submit”, so we go to POST /login with a clean slate. Will hand you the build privately.