[SUPPORT|kbn_pro] Forbidden error after the LDAP password change

deimantastumas · December 1, 2023, 11:40am

Support request

Hey, we’re using LDAP for authenticating to Kibana. We started experiencing weird behaviour after migrating our 6.x ELK to 7.x where after the LDAP password change when trying to open Kibana you get the forbidden error. Cleaning the cookies & cache solves the issue and redirects you properly to the login page. The issue persists after upgrading everything to 8.x:

Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: [13:23:32:443] [error][plugins][ReadonlyREST][esClient] ES Authorization error: 403 Error: ES Authorization error: 403
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: at l.e (/usr/share/kibana/plugins/readonlyrestkbn/proxy/core/esClient.js:1:17932)
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: at l.e (/usr/share/kibana/plugins/readonlyrestkbn/proxy/core/esClient.js:1:5483)
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: at tryCatch (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:45:40)
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: at Generator.invoke [as _invoke] (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:274:22)
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: at Generator.prototype.<computed> [as next] (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:97:21)
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: at asyncGeneratorStep (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: at _next (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/@babel/runtime/helpers/asyncToGenerator.js:25:9)
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: at processTicksAndRejections (node:internal/process/task_queues:95:5)
Dec 01 13:23:32 laaskb002d1vteo kibana[1855]: [13:23:32:445] [info][plugins][ReadonlyREST][authorizationHeadersValidation] Could not revalidate the session against ES: + WRONG_CREDENTIALS

RoR LDAP config:

  ldaps:
    - name: adform
      ssl_trust_all_certs: true
      bind_dn: ...
      bind_password: ...
      search_user_base_DN: ...
      search_groups_base_DN: ...
      user_id_attribute: ...
      unique_member_attribute: '...'
      group_search_filter: (objectClass=group)
      connection_pool_size: 10
      connection_timeout_in_sec: 15
      request_timeout_in_sec: 15
      cache_ttl_in_sec: 60
      servers:
        - "ldaps://....com:636"

Is it expected?

ROR Version: 1.54.0

Kibana Version: 8.10.4

Elasticsearch Version: 8.10.4

{“customer_id”: “a2d8a38b-1070-4845-aa8e-6f38fb585857”, “subscription_id”: “c6f3569d-3d8e-46ce-ac53-92f19301b69e”}

coutoPL · December 1, 2023, 5:05pm

Could you please set ROR Kibana log level to trace, reproduce the issue and show us kibana logs?