Ldap - wrong password and immdiate lock in AD


i’m using AD and my AD admin told me that 3 consecutive failed tries will lock me in the AD.
when i run single “curl” command with wrong password i can see in the elastic log 6 rows:

[error][t.b.r.a.d.l.u.unboundidauthenticationldapclient] ldap authenticate operation failed: ldaperr dsid-…

and i immediately locked.

why one command tries to run couple of times?
can i configure somewhere that one command will try one authenticate ?


(Simone Scarduzio) #2

@sdba2 This is a known issue: the LDAP connector only caches correct credentials.
Fortunately, this has a fix in the current master branch. Would you like to be the first one to test it? In that case please tell me the ES version you are using.


i’m using es 6.1.1 and ror 1.16.17

(Simone Scarduzio) #4

OK Try this please https://readonlyrest-data.s3-eu-west-1.amazonaws.com/tmp/readonlyrest-1.16.18-pre1_es6.1.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20180319/eu-west-1/s3/aws4_request&X-Amz-Date=20180319T150225Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=3618cce5dd2cb8b429d3f22d220e58acb9ef98bc33815d8e3a974614f7b54404


Hi there ,

we are now using version 1.16.27 and facing the same issued as with 1.16.17 .
we have some users which were locked in active directory after 1 failed login to kibana (using ROR) .
tough I tried only one time to login, I see that the log contains 10 entries from the same hours:
[error][t.b.r.a.d.l.u.unboundidauthenticationldapclient] ldap authenticate operation failed: ldaperr dsid-…

after that my user locked .
is there a parameter which I can set in one of the configuration files so ROR will send only one authentication request to the active directory ?

Thanks .

(Simone Scarduzio) #6

@sdba2 Have you enabled caching?


if I do ctrl+shitf+i and then go to network tab I see checkbox of “disable cache” is not set . that means that cache is enabled, am I right ?

(Simone Scarduzio) #8

I mean the LDAP cache in the readonlyrest.yml YAML settings. I.e. cache_ttl_in_sec in the docs.


I’ve just checked , this parameter is set to 0 .

(Simone Scarduzio) #10

set it up to sensible value i.e. 300


ok , how this settings affects the product and the way it behaves against the active directory ?

(Simone Scarduzio) #12

we keep an internal in-memory cache in the LDAP connector, the credentials are checked against the cache before reaching out to the LDAP server.

The credentials are never stored in clear though, they’re hashed.


looks fine now , thanks a lot .
I see only one failed entry in elastic log now .
so just to confirm , when I set the parameter to 300 , it means that only after 5 minutes the ROR will send automatically another request to the active directory ?

(Simone Scarduzio) #14

Yes that’s correct. We cache both valid and invalid credentials into a LRU cache which is limited in time (5min in your case) and space (some thousands entries).