LDAP (Group based) Login resulting in 401

Trying to login with ldap users in the appropriate group results in a 401 error

Config

- name: "::Test::"
  ldap_auth:
    name: "ldap1"
    groups: ["MyGroup"]
    cache_ttl_in_sec: 60
  indices: ["prefix*"]
  verbosity: info
  kibana_access: ro
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

Error

[2018-12-28T10:47:07,044][INFO ][t.b.r.a.ACL ] [es-node-master] ^[[35mFORBIDDEN by default req={ ID:1949392666-1663171321#15557, TYP:RRAdminRequest, CGR:N/A, USR:ldap.useraccount(?), BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:127.0.0.1, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=<OMITTED>, Connection=close, content-length=0, Host=localhost:9200}, HIS:[::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO::->[auth_key->false]], [::RW::->[auth_key->false]], [::ADMIN::->[auth_key->false]], [::WEBSITE SEARCH BOX::->[indices->true, actions->false]] } ^[[0m

Did some log digging, turns out the rule block is never added hence why it doesn’t appear in the list of failed authentications.

This seems caused by a java policy problem

Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldapipaddress:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage=‘An error occurred while attempting to establish a connection to server /ldapipaddress:389: AccessControlException(access denied (“java.net.SocketPermission” “ldapipaddress:389” “connect,resolve”)), ldapSDKVersion=4.0.9, revision=29290’))

I tried implementing the solution found in

No love, continuing my investigation

NOTICE THE QUOTES IN PLAY HERE

That was the problem to be clear

“ != "

@Woodsmen can you please edit your posts and use the “</>” icon from the message composer toolbar? So the code would format properly. This way we remove all this guess work with shape of quotes!

1 Like