LDAP certificate issue

66 views
Skip to first unread message

Rob Fuller

unread,
May 5, 2017, 10:06:34 AM5/5/17
to Search Guard
Hi,

Searchguard is cool. Thanks.

Have it working great with basic auth, and now beginning to test kerberos + ldap.

Does "unable to find valid certification path to requested target" mean anything to anyone here?

The exception occurs during setup of the connection to the ldap server (TLSv1) using the 2.4-7 backend, after TLSv1 protocol has been agreed.

[2017-05-05 11:31:40,119][DEBUG][com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend] Unable to connect to ldapserver due to [org.ldaptive.provider.ConnectionException@329752164::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: redacted.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Is there any way to configure the searchguard ldap authorization section to accept the certificate without verification? Or any suggestions of another solution?

Yes, I understand a license is required for the ldap and kerberos backends.

Thanks again,
Rob.

SG

unread,
May 5, 2017, 10:18:21 AM5/5/17
to search...@googlegroups.com
Can you provide your elasticsearch.yml and sg_config.yml?
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6ad90920-5865-40af-8b31-626f2ac8a19c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Rob Fuller

unread,
May 8, 2017, 3:09:37 AM5/8/17
to Search Guard
Thanks @SG

I was able to replicate the problem in ldapsearch now, so let me follow up first with the AD team. Essentially we are having the problem described in this stackoverflow thread:

The workaround for ldapsearch, as answered on stackoverflow, is to include this line in the ldap.conf file:
TLS_REQCERT ALLOW

From what I can see, there is no corresponding setting for searchguard ldap configuration?

Thanks again,
Rob.
Reply all
Reply to author
Forward
0 new messages