LDAP java security error

changi67 · February 12, 2018, 2:33pm

I’m getting some strenge java error logs on elasticsearch

[2018-02-12T15:26:01,492][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed.  LDAPSearchException: An error occurred while attempting to connect to server :389:  java.io.IOException: LDAPException(resultCode=91 (connect er
ror), errorMessage='An error occurred while attempting to establish a connection to server 172.16.1.1:389:  AccessControlException(message='access denied ("java.net.SocketPermission" "172.16.1.1:389" "connect,resolve")', trace='checkPermission(AccessCo
ntrolContext.java:472) / checkPermission(AccessController.java:884) / checkPermission(SecurityManager.java:549) / checkConnect(SecurityManager.java:1051) / connect(Socket.java:584) / run(ConnectThread.java:146)', revision=24201)')
LDAPSearchException(resultCode=91 (connect error), numEntries=0, numReferences=0, errorMessage='An error occurred while attempting to connect to server xxx.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while 
attempting to establish a connection to server 172.16.1.1:389:  AccessControlException(message='access denied ("java.net.SocketPermission" "172.16.1.1:389" "connect,resolve")', trace='checkPermission(AccessControlContext.java:472) / checkPermission(Acc
essController.java:884) / checkPermission(SecurityManager.java:549) / checkConnect(SecurityManager.java:1051) / connect(Socket.java:584) / run(ConnectThread.java:146)', revision=24201)')')
        at com.unboundid.ldap.sdk.AbstractConnectionPool.processRequestsAsync(AbstractConnectionPool.java:2703)
        at tech.beshu.ror.acl.definitions.ldaps.unboundid.UnboundidBaseLdapClient.userById(UnboundidBaseLdapClient.java:57)
        at tech.beshu.ror.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient.authenticate(UnboundidAuthenticationLdapClient.java:58)
        at tech.beshu.ror.acl.definitions.ldaps.caching.AuthenticationLdapClientCacheDecorator.authenticate(AuthenticationLdapClientCacheDecorator.java:71)
        at tech.beshu.ror.acl.blocks.rules.impl.LdapAuthenticationAsyncRule.authenticate(LdapAuthenticationAsyncRule.java:45)
        at tech.beshu.ror.acl.blocks.rules.AsyncAuthentication.match(AsyncAuthentication.java:59)
        at tech.beshu.ror.acl.blocks.Block.lambda$checkAsyncRulesInSequence$4(Block.java:137)
        at tech.beshu.ror.utils.FuturesSequencer.runInSeqUntilConditionIsUndone(FuturesSequencer.java:52)
        at tech.beshu.ror.utils.FuturesSequencer.runInSeqUntilConditionIsUndone(FuturesSequencer.java:34)
        at tech.beshu.ror.acl.blocks.Block.checkAsyncRulesInSequence(Block.java:135)
        at tech.beshu.ror.acl.blocks.Block.checkAsyncRules(Block.java:125)
        at tech.beshu.ror.acl.blocks.Block.check(Block.java:111)
        at tech.beshu.ror.acl.ACL.lambda$doCheck$4(ACL.java:220)
        at tech.beshu.ror.utils.FuturesSequencer.runInSeqUntilConditionIsUndone(FuturesSequencer.java:52)
        at tech.beshu.ror.utils.FuturesSequencer.lambda$runInSeqUntilConditionIsUndone$2(FuturesSequencer.java:58)
        at java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:981)
        at java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2124)
        at tech.beshu.ror.utils.FuturesSequencer.runInSeqUntilConditionIsUndone(FuturesSequencer.java:53)
        at tech.beshu.ror.utils.FuturesSequencer.runInSeqUntilConditionIsUndone(FuturesSequencer.java:41)
        at tech.beshu.ror.acl.ACL.doCheck(ACL.java:216)
        at tech.beshu.ror.acl.ACL.check(ACL.java:164)
        at tech.beshu.ror.es.IndexLevelActionFilter.handleRequest(IndexLevelActionFilter.java:153)
        at tech.beshu.ror.es.IndexLevelActionFilter.apply(IndexLevelActionFilter.java:128)
        at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
        at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:139)
        at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:81)
        at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:83)
        at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:72)
        at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:405)
        at org.elasticsearch.action.ActionRequestBuilder.execute(ActionRequestBuilder.java:71)
        at org.elasticsearch.xpack.rest.action.RestXPackInfoAction.lambda$doPrepareRequest$0(RestXPackInfoAction.java:63)
        at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:97)
        at tech.beshu.ror.es.ReadonlyRestPlugin.lambda$null$3(ReadonlyRestPlugin.java:176)
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:240)
        at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:336)
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:174)
        at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:497)
        at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:80)
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:68)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:284)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
        at java.lang.Thread.run(Thread.java:748)
Caused by: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server xxx.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server 172.16.1.1:389:  AccessControlException(message='access denied ("java.net.SocketPermission" "172.16.1.1:389" "connect,resolve")', trace='checkPermission(AccessControlContext.java:472) / checkPermission(AccessController.java:884) / checkPermission(SecurityManager.java:549) / checkConnect(SecurityManager.java:1051) / connect(Socket.java:584) / run(ConnectThread.java:146)', revision=24201)')')
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:870)
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760)
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710)
        at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534)
        at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:229)
        at com.unboundid.ldap.sdk.ServerSet.getConnection(ServerSet.java:98)
        at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1205)
        at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178)
        at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706)
        at com.unboundid.ldap.sdk.AbstractConnectionPool.processRequestsAsync(AbstractConnectionPool.java:2698)
        ... 78 more
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server 172.16.1.1:389:  AccessControlException(message='access denied ("java.net.SocketPermission" "172.16.1.1:389" "connect,resolve")', trace='checkPermission(AccessControlContext.java:472) / checkPermission(AccessController.java:884) / checkPermission(SecurityManager.java:549) / checkConnect(SecurityManager.java:1051) / connect(Socket.java:584) / run(ConnectThread.java:146)', revision=24201)')
        at sun.reflect.GeneratedConstructorAccessor40.newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.unboundid.util.StaticUtils.createIOExceptionWithCause(StaticUtils.java:2524)
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:172)
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860)
        ... 87 more
Caused by: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server 172.16.1.1:389:  AccessControlException(message='access denied ("java.net.SocketPermission" "172.16.1.1:389" "connect,resolve")', trace='checkPermission(AccessControlContext.java:472) / checkPermission(AccessController.java:884) / checkPermission(SecurityManager.java:549) / checkConnect(SecurityManager.java:1051) / connect(Socket.java:584) / run(ConnectThread.java:146)', revision=24201)')
        at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:240)
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:161)
        ... 88 more
Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "172.16.1.1:389" "connect,resolve")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)
        at java.net.Socket.connect(Socket.java:584)
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:146)

Java policy are present, but elastic cannot connect to my ldap server.

Any idea ?

sscarduzio · February 13, 2018, 6:48pm

Hello JF!
I think I found the bug. Will publish a test build ASAP.

sscarduzio · February 15, 2018, 3:52pm

ROR 1.16.16 is released with this fix. Check it out and let me know if all is good!

sdba2 · March 15, 2018, 12:36pm

i’m using elastic 6.1.1 and ror 1.16.16

once i start working with kibana i get error :
ldapsearchexception(resultcode=91)…message='access denied…

i tried to :

set : cache_ttl_in_sec: 0
(in readonlyrest.yml file)
add line : permission java.net.SocketPermission “ad1:389”,“resolve, connect”;
(in file plugin-security,policy)

i search for 1.16.17 and couldn’t download it

please advice

sscarduzio · March 15, 2018, 5:43pm

1.16.17 is released now