I am using Elastic v6.2.1 and the ROR ES/Kibana Pro plugins v1.16.16.
My organization allows a total of three failed login attempts before an account is locked out, which then requires a request to our IT team to unlock the account. When looking at the Elasticsearch logs during a failed login attempt I see the following:
It looks like it is making multiple requests per failed login which increases the failed login attempts by two when it is really only a single attempt. This is further complicated when there are multiple DCs configured to process these (a single failed login results in 4 failed requests which automatically results in a locked out account).
I tried setting connection_timeout_in_sec and request_timeout_in_sec to 0 in an attempt to force the connection to close immediately but this did not seem to help.
Is there a way to force a login to only make a single request either per DC or per DC “group”?
I’m not sure if this is actually related to the cache at all. It seems more like some sort of retry logic or something is causing multiple failed LDAP login attempts when it should only be one. This probably isn’t a big deal if there is no lockout policy in place, but if there is it can be quite frustrating.
I’m starting to see this in our logs too and although I’m able to login, its not authenticating the user as part of the groups that allow access to the ror/dev console pages.
Errors in the logs is
LDAP authenticate operation failed: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580