SearchGuard Active Directory Not able to sync user

[Vikash Singh]

Hi,

I  have  followed  the  Document 

https://github.com/floragunncom/search-guard-docs/blob/master/ldap.md

step  by  step  i  am  using  latest ElasticSearch  version   with latest Search-guard .I  have  configured sg_config.yml  but  when  i  restarted Elasticsearch  it  not  giving  any  logs  about  Active  directory  connected  on  not  also  no  any  logs  i  am  getting  to  know  what  error  i  having 

please  find  Details  here

[Jochen Kressin]

Seems you did not install the LDAP module:

http://floragunncom.github.io/search-guard-docs/installation.html

[Vikash Singh]

I  have  put dlic-search-guard-authbackend-ldap-5.0-7-jar-with-dependencies.jar  in /usr/share/elasticsearch/plugins/search-guard-5 and  re-start  Elasticsearch .

I am  using 5.5.0 version of elasticsearcg with searchguard version

5.5.0-14 ,please guide  me  where  i  was  wrong

 

[Vikash Singh]

Is  this  Version Issues?

[Jochen Kressin]

The LDAP module is either not installed or not configured. If the module is active, you will see a message like this in the logfile during startup:

*************************************

Searchguard LDAP is not free software

for commercial use in production.

You have to obtain a license if you 

use it in production.

*************************************

* Check that the jar file is placed correctly and is readable by the ES process. 

* Make sure to update your changed sg_config via sgadmin

[Vikash Singh]

If  i  remove  jar  file  from  Folder  i  am  getting  this  Error

[2017-07-13T09:47:55,464][ERROR][c.f.s.a.BackendRegistry  ] Unable to initialize AuthorizationBackend java.lang.ClassNotFoundException: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend due to roles_from_myldap

[2017-07-13T09:47:55,465][ERROR][c.f.s.a.BackendRegistry  ] Unable to initialize auth domain java.lang.ClassNotFoundException: com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend due to ldap

It  means  Jar  file  loading by  elasticsearch,but  wheen  i  put  jar  file i  cant  get  any  information  wheather  its  connected  Ad  or  not 

this  is  jar  version dlic-search-guard-authbackend-ldap-5.0-7-jar-with-dependencies.jar

[Vikash Singh]

But  i  am  getting  this  in  log  file  when  i  restart  elasticsearch

### LICENSE NOTICE Search Guard ###

If you use one or more of the following features in production

make sure you have a valid Search Guard license

(See https://floragunn.com/searchguard-validate-license)

* Kibana Multitenancy

* LDAP authentication/authorization

* Active Directory authentication/authorization

* REST Management API

* JSON Web Token (JWT) authentication/authorization

* Kerberos authentication/authorization

* Document- and Fieldlevel Security (DLS/FLS)

* Auditlogging

In case of any doubt mail to <sa...@floragunn.com>

###################################

[Jochen Kressin]

Yes, that's the general licens information we print out. I think the error is due to a misconfiguration in sg_config.

You have set the "challenge" flag to false in the ldap authentication domain (which comes first with order set to 1), and have set the challenge flag to true for the basic_internal_auth_domain (which comes second with order set to 4).

This means that the LDAP module expects pre-authenticated requests, and will not challenge the user for credentials when they are missing. Thus, the Basic Authentication popup is triggered by the basic_internal_auth_domain, not the LDAP one, means that in your case LDAP is skipped.

If you keep the order of the authenticators as it is now, set the challenge flag to true for LDAP, and set it to false for basic_internal_auth_domain. That should work.

[Vikash Singh]

After Changes in  sg_config.yml ,challenge  flag to  true  for  ldap  and  false everywhere in  file

then  i  have  followed  ./sgadmin_demo.sh   command  to  update Changes 

after  that if  i  see  the  logs  i  get  nothing  related to Active  directory.Please  guide me  how  to  trace  this  Error

[Jochen Kressin]

If you're using debs or rpms, then you probably won't see the license information, since stdout is probably not redirected.

However, with the changed config, what happens now when you try to login? Also you can set the log level to debug by adding:

logger.fg.name = com.floragunn

logger.fg.level = debug

In log4j2.properties

[Vikash Singh]

Sorry, But After  enabling  searchguard in  debug  mode also  not  able  to  trace  anything  related  with  Active  Directory,Can  you  please Confirm  that  whether  we

have  tested with  Latest  version  of  ElasticSearch  and  searchguard.

Since  i  dont  even  trigger  anything related  to Active  Directory.I  am  sure  Configuration  was   fine

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/3kaRbjI5ze4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ae5f44ce-b9e4-4b2f-b2f1-07c4d116b5f9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Best Regards

VikashSingh

Bizrunttime ITServices

[Vikash Singh]

[Vikash Singh]

I have also  triyed  with tar  Version  of  elasticsearch elasticsearch-5.5.0  but i  am  still  getting  same  Error

please  guide  me  how  to solve  this 

[Vikash Singh]

How  do   i  know  whether  Module  is installed  or  not,because if  i  remove  .jar it  giving  me  exception  so,please  suggest  me  the  IDea  how  to make  Ad integration  sucess

[Vikash Singh]

now  i  am  getting  this  message on  console

*************************************

Searchguard LDAP is not free software

for commercial use in production.

You have to obtain a license if you

use it in production.

*************************************

But  i  tested with  this _searchguard/api/configuration/internalusers ,and i cant see our Ad user their

Can ,you please guide how to View user

[Jochen Kressin]

Ok, good, that means the module is loaded and the config is picked up. Of course you don't see LDAP users in the internal user database since these are two completely different things, see also here: https://groups.google.com/forum/#!topic/search-guard/-Ba7Gz74Iwk

You don't see or manage LDAP users in Search Guard directly, and there's no syncing involved of any kind. The whole point of LDAP is to have one central place to administer users and groups.