Help with LDAP authentification
451 views
Skip to first unread message
simon....@gmail.com
Jun 26, 2015, 3:51:13 AM6/26/15
to search...@googlegroups.com
Hello, I'm trying to authenticate my users.
Here's part of my config in the elasticsearch.yml :
Here's the curl trace:
And here's the node trace:
Am I configuring something wrong ?
Thank you very much !
Here's part of my config in the elasticsearch.yml :
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend
searchguard.authentication.authentication_backend.cache.enable: false
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator
searchguard.authentication.authorizer.cache.enable: false
searchguard.authentication.ldap.host: ["ldap-server.host"]
searchguard.authentication.ldap.ldaps.ssl.enabled: true
searchguard.authentication.ldap.ldaps.starttls.enabled: false
searchguard.authentication.ldap.bind_dn: cn=user,dc=my,dc=ldap.host
searchguard.authentication.ldap.password: userpass
searchguard.authentication.ldap.userbase: ou=users,dc=my,dc=ldap.host
searchguard.authentication.ldap.usersearch: (uid={0})
searchguard.authentication.ldap.username_attribute: cn
searchguard.authentication.authorization.ldap.rolebase: ou=groups,dc=my,dc=ldap.host
searchguard.authentication.authorization.ldap.rolesearch: (memberUid={0})
searchguard.authentication.authorization.ldap.userroleattribute: null
searchguard.authentication.authorization.ldap.userrolename: memberOf
searchguard.authentication.authorization.ldap.rolename: cn
searchguard.authentication.authorization.ldap.resolve_nested_roles: false
Here's the curl trace:
curl -u simon -v -XGET 'http://myes-searchguard:9200/_cluster/health?pretty=true'
Enter host password for user 'simo1234':
* Trying 192.168.200.213... connected
* Server auth using Basic with user 'simon'
> GET /_cluster/health?pretty=true HTTP/1.1
> Authorization: Basic c2ltbzEyMzQ6QWRtaW4xMjMt
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json; charset=UTF-8
< Content-Length: 114
<
{
"error" : "AuthException[java.lang.NullPointerException]; nested: NullPointerException; ",
"status" : 500
}
* Closing connection #0
And here's the node trace:
[2015-06-26 09:49:18,696][ERROR][com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend] java.lang.NullPointerException
java.lang.NullPointerException
at java.io.File.<init>(File.java:277)
at com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator.getConnection(LDAPAuthorizator.java:84)
at com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:61)
at com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator.authenticate(HTTPBasicAuthenticator.java:77)
at com.floragunn.searchguard.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:178)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:180)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:121)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:83)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:327)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:63)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:74)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[2015-06-26 09:49:18,724][ERROR][com.floragunn.searchguard.rest.DefaultRestFilter] com.floragunn.searchguard.authentication.AuthException: java.lang.NullPointerException
com.floragunn.searchguard.authentication.AuthException: java.lang.NullPointerException
at com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:108)
at com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator.authenticate(HTTPBasicAuthenticator.java:77)
at com.floragunn.searchguard.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:178)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:180)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:121)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:83)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:327)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:63)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:74)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at java.io.File.<init>(File.java:277)
at com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator.getConnection(LDAPAuthorizator.java:84)
at com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:61)
... 45 more
Thank you very much !
SG
Jun 26, 2015, 4:17:48 AM6/26/15
to search...@googlegroups.com
reason is that you have enabled ssl (searchguard.authentication.ldap.ldaps.ssl.enabled) but not provided key files
searchguard.authentication.ldap.ldaps.truststore_filepath: /path/to/trustfile
(i have to admin that the errormessage is lousy, will fix this)
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/40450caf-55d7-45af-b134-6855e79a3637%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
searchguard.authentication.ldap.ldaps.truststore_filepath: /path/to/trustfile
(i have to admin that the errormessage is lousy, will fix this)
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/40450caf-55d7-45af-b134-6855e79a3637%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
simon....@gmail.com
Jun 26, 2015, 9:31:45 AM6/26/15
to search...@googlegroups.com
That work tremendously great ! Thank you.
Ijaz Ahmad
Mar 7, 2016, 8:41:08 AM3/7/16
to Search Guard
hi , i have an elasticsearch setup with kibana and searchguard plugin , i wornder how you have mapped ldap groups to elasticsearch roles.
Alfred88
Mar 9, 2016, 8:25:59 PM3/9/16
to Search Guard
HI Simon,
may i know what SG version you use?
i am wondering if SG 2.2 can use your config also instead using the sgconfig file.
Thanks,
alfred
may i know what SG version you use?
i am wondering if SG 2.2 can use your config also instead using the sgconfig file.
Thanks,
alfred
Reply all
Reply to author
Forward
0 new messages