java security exception when running ldap module

272 views
Skip to first unread message

Andreas Freudenreich

unread,
Mar 10, 2017, 7:25:15 PM3/10/17
to Search Guard
Hi,
I get errors like the following when adding ldap authentication/authorization to searchguard. Authentication works, but authorization does not:

[2017-03-10T16:02:28,327][WARN ][o.l.SearchOperation      ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2735818d threw unexpected exception
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")

Here the startup logs:
[2017-03-10T15:32:18,699][INFO ][c.f.s.SearchGuardPlugin  ] FLS/DLS module not available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:18,753][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:18,754][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64
[2017-03-10T15:32:18,760][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers
...
[2017-03-10T15:32:18,803][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
[2017-03-10T15:32:19,303][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit.. That is not an issue, it just limits possible encryption strength. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
[2017-03-10T15:32:19,356][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers
...
[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,357][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [aggs-matrix-stats]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [ingest-common]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [lang-expression]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [lang-groovy]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [lang-mustache]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [lang-painless]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [percolator]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [reindex]
[2017-03-10T15:32:19,359][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [transport-netty3]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService     ] [mynode] loaded module [transport-netty4]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService     ] [mynode] loaded plugin [search-guard-5]
[2017-03-10T15:32:19,360][INFO ][o.e.p.PluginsService     ] [mynode] loaded plugin [x-pack]
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_121
[2017-03-10T15:32:22,402][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-03-10T15:32:22,403][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 3.10.0-514.6.1.el7.x86_64

[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:22,478][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-03-10T15:32:24,922][INFO ][c.f.s.c.ConfigurationModule] FLS/DLS valve not bound (noop)
[2017-03-10T15:32:24,923][INFO ][c.f.s.c.ConfigurationModule] Privileges interceptor not bound (noop)
[2017-03-10T15:32:24,924][INFO ][c.f.s.a.AuditLogModule   ] Auditlog not available
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node               ] [mynode] initialized
[2017-03-10T15:32:26,411][INFO ][o.e.n.Node               ] [mynode] starting ...
[2017-03-10T15:32:27,195][INFO ][o.e.t.TransportService   ] [mynode] publish_address {10.93.37.135:9300}, bound_addresses {127.0.0.1:9300}, {10.93.37.135:9300}
[2017-03-10T15:32:27,200][INFO ][o.e.b.BootstrapCheck     ] [mynode] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-03-10T15:32:27,205][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Check if searchguard index exists ...
[2017-03-10T15:32:27,211][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [mynode] no known master node, scheduling a retry
[2017-03-10T15:32:31,030][INFO ][o.e.c.s.ClusterService   ] [mynode] detected_master
...
[2017-03-10T15:32:33,398][INFO ][o.e.h.HttpServer         ] [mynode] publish_address {10.93.37.135:9200}, bound_addresses {127.0.0.1:9200}, {10.93.37.135:9200}
[2017-03-10T15:32:33,398][INFO ][o.e.n.Node               ] [mynode] started
[2017-03-10T15:32:33,462][INFO ][c.f.s.a.c.TransportConfigUpdateAction] [mynode] Node 'mynode' initialized
[2017-03-10T15:32:38,797][WARN ][o.l.SearchOperation      ] org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@5b45e788 threw unexpected exception
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")

We are using ES 5.1.1-1 and the ldap backend module 5.0-7 (we have an education license).

Thanks for any hints,
Andreas

SG

unread,
Mar 13, 2017, 1:19:56 PM3/13/17
to search...@googlegroups.com
Just to makes things clear:
- You use SG ES 5.1.1-11 (not ES 5.1.1-1) right?
- Did you get the exception during startup? If yes, does it prevent the node from properly starting up?
- Pls. share you sg_config.yml
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2a778a6e-91aa-4571-9c39-744ac4c37858%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Search Guard

unread,
Mar 13, 2017, 1:42:50 PM3/13/17
to Search Guard

Andreas Freudenreich

unread,
Mar 15, 2017, 12:19:04 AM3/15/17
to search...@googlegroups.com
Yes, we use SG 5.1.1-11 (with ES 5.1.1-1)
The exception happens during startup, but the node starts up afterwards. Non-LDAP authentication still works.
I'll share the configuration during the next days (currently OOO).
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

Andreas Freudenreich

unread,
Mar 15, 2017, 12:20:37 AM3/15/17
to search...@googlegroups.com
version 5.0.8 results in the same error - I'll see if I can get some debug logs within the next few days.
--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.

Andreas Freudenreich

unread,
Mar 17, 2017, 11:53:47 PM3/17/17
to Search Guard
Sorry - I had tested versions 5.06 and 5.07, but not 5.08 yet - will get back to you when done.

Andreas Freudenreich

unread,
Mar 20, 2017, 3:37:55 PM3/20/17
to Search Guard
Hi,
I have installed the linked 5.0.8 version and it gets past the java error now - thanks!
.
Authorization fails, though, with another error:

[2017-03-20T12:30:31,302][WARN ][o.l.r.SearchReferralHandler] Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca
org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name 'DC=DomainDnsZones,DC=our,DC=domain,DC=ca'

Current authz configuration:
    authz:
      roles_from_myldap:
        enabled: true
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap # NOT FREE FOR COMMERCIAL USE
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - ead-sdcp10.ourdomain.ca:389
            bind_dn: 'CN=AS-svcuser,OU=ServiceAccounts,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca'
            password: 'our_pw'
            rolebase: 'OU=role,OU=groups,OU=ES,OU=SERVICES,DC=our,DC=domain,DC=ca'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(uniqueMember={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: member
            # Roles as an attribute of the user entry
            userrolename: memberOf
            # The attribute in a role entry containing the name of that role
            rolename: distinguishedName
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'DC=our,DC=domain,DC=ca'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(samaccountname={0})'

I can perform an ldapsearch successfully with the same bind credentials.


Thanks for any hints,
Andreas
On Monday, 13 March 2017 10:42:50 UTC-7, Search Guard wrote:

Search Guard

unread,
Mar 22, 2017, 11:53:04 AM3/22/17
to Search Guard

Andreas Freudenreich

unread,
Mar 22, 2017, 5:27:23 PM3/22/17
to search...@googlegroups.com, Search Guard
Hi,
After applying this version I get following in the logs - and elasticsearch shuts down:

[2017-03-22T13:56:48,036][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [ela-coordprd01] caught exception while handling client http traffic, closing connection [id: 0x4bc3e24e, L:/10.93.37.135:9200 - R:/
137.82.5.97:38770]
com.google.common.util.concurrent.ExecutionError: java.lang.ExceptionInInitializerError
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2205) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:481) ~[?:?]
at com.floragunn.searchguard.filter.SearchGuardRestFilter.process(SearchGuardRestFilter.java:99) ~[?:?]
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:310) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:203) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.http.HttpServer.dispatchRequest(HttpServer.java:113) ~[elasticsearch-5.1.1.jar:5.1.1]
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:507) ~[transport-netty4-client-5.1.1.jar:5.1.1]
at com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport.dispatchRequest(SearchGuardSSLNettyHttpServerTransport.java:120) ~[search-guard-ssl-5.1.1-20.jar:5.1.1-20]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) ~[transport-netty4-client-5.1.1.jar:5.1.1]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) [transport-netty4-client-5.1.1.jar:5.1.1]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) [netty-handler-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.ExceptionInInitializerError
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
... 58 more
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_121]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_121]
at com.unboundid.util.Debug.<clinit>(Debug.java:166) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
... 58 more
[2017-03-22T13:56:48,037][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [ela-coordprd01] fatal error in thread [Thread-6], exiting
com.google.common.util.concurrent.ExecutionError: java.lang.ExceptionInInitializerError
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2205) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:481) ~[?:?]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:69) ~[?:?]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:66) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1069) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) ~[?:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.ExceptionInInitializerError
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
... 58 more
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_121]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_121]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_121]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_121]
at com.unboundid.util.Debug.<clinit>(Debug.java:166) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:187) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.getConnection(LDAPAuthorizationBackend.java:140) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate0(LDAPAuthenticationBackend.java:90) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.access$000(LDAPAuthenticationBackend.java:44) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:74) ~[?:?]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend$1.run(LDAPAuthenticationBackend.java:71) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:71) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:487) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry$6.call(BackendRegistry.java:481) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4793) ~[?:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
... 58 more

Thanks,
Andreas
--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/BCo7OXboqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.

SG

unread,
Mar 23, 2017, 3:59:53 AM3/23/17
to search...@googlegroups.com
Ok, seems there is no quick win solution here :-(

Can you provide details about your LDAP server and setup?

- LDAP vendor and version (i assume AD?), how many ldap servers/replicas?
- Setup regarding bind_dn and referrals -> "Could not follow referral to ldap://DomainDnsZones.ourdomain.ca/DC=DomainDnsZones,DC=our,DC=domain,DC=ca"

Would be great if you can help us tracking this down because currently i cannot reproduce it. Thx.
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8065e858-179a-4fdc-96b3-51b9d864d3d0%40me.com.

Andreas Freudenreich

unread,
Mar 24, 2017, 1:58:59 PM3/24/17
to search...@googlegroups.com, search...@googlegroups.com
Hi,

After some investigation we figured out what the issue was:
The ldap exception regarding the referrals was only a warning, but wasn't actually related to the issue.
We found that setting "rolename" to "dn" populated the roles array for a user. We had it set to a different value on our test system before - and it worked there (the test system used the ldap module version 5.0.6), but not on the production system (using 5.08 you provided).

We are now investigating the next issue - i.e. authorization works, but only if the mapped role has access to all indices ('*'). Setting it to any subset does not work (the same index pattern is set up in Kibana).

If we cannot get this working I'll open another email thread.

Thanks a lot for your help on this issue.
Andreas
Reply all
Reply to author
Forward
0 new messages