Trying to login with ldap users in the appropriate group results in a 401 error
Config
- name: "::Test::"
ldap_auth:
name: "ldap1"
groups: ["MyGroup"]
cache_ttl_in_sec: 60
indices: ["prefix*"]
verbosity: info
kibana_access: ro
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
Error
[2018-12-28T10:47:07,044][INFO ][t.b.r.a.ACL ] [es-node-master] ^[[35mFORBIDDEN by default req={ ID:1949392666-1663171321#15557, TYP:RRAdminRequest, CGR:N/A, USR:ldap.useraccount(?), BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:127.0.0.1, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=<OMITTED>, Connection=close, content-length=0, Host=localhost:9200}, HIS:[::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO::->[auth_key->false]], [::RW::->[auth_key->false]], [::ADMIN::->[auth_key->false]], [::WEBSITE SEARCH BOX::->[indices->true, actions->false]] } ^[[0m
Did some log digging, turns out the rule block is never added hence why it doesn’t appear in the list of failed authentications.
This seems caused by a java policy problem
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldapipaddress:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage=‘An error occurred while attempting to establish a connection to server /ldapipaddress:389: AccessControlException(access denied (“java.net.SocketPermission” “ldapipaddress:389” “connect,resolve”)), ldapSDKVersion=4.0.9, revision=29290’))
I tried implementing the solution found in
No love, continuing my investigation