config:
enable_ssl: false
enable_start_tls: true
[2017-07-21T09:40:49,946][DEBUG][c.f.d.a.l.b.LDAPAuthorizationBackend] enabled ssl/tls protocols for ldaps [TLSv1.1, TLSv1.2]
[2017-07-21T09:40:49,955][DEBUG][o.l.p.j.NamingExceptionUtils] naming exception class javax.naming.NamingException is ambiguous, maps to multiple result codes: [OPERATIONS_ERROR, ALIAS_PROBLEM, ALIAS_DEREFERENCING_PROBLEM, LOOP_DETECT, AFFECTS_MULTIPLE_DSAS, OTHER]
[2017-07-21T09:40:49,955][DEBUG][o.l.p.j.JndiStartTLSConnectionFactory] Error connecting to LDAP URL: ldap://ldapserver:636
org.ldaptive.provider.ConnectionException: javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.
...
Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.
config:
enable_ssl: true <=====
enable_start_tls: true
[2017-07-21T09:51:07,095][DEBUG][c.f.d.a.l.b.LDAPAuthorizationBackend] enabled ssl/tls protocols for ldaps [TLSv1.1, TLSv1.2]
...
[2017-07-21T09:51:07,161][DEBUG][o.l.p.j.JndiStartTLSConnectionFactory] Error connecting to LDAP URL: ldaps://ldapserver:636
org.ldaptive.provider.ConnectionException: javax.naming.CommunicationExcetion: ldapserver:636 [Root exception isjavax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[?:?]
######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
cluster.name: searchguard_demo
network.host: 0.0.0.0
######## End Search Guard Demo Configuration ########
[2017-07-24T16:44:38,570][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from http basic
[2017-07-24T16:44:38,570][DEBUG][c.f.s.a.BackendRegistry ] User 'eperpetuo' is in cache? false (cache size: 1)
[2017-07-24T16:44:38,570][DEBUG][c.f.s.a.BackendRegistry ] eperpetuo not cached, return from ldap backend directly
[2017-07-24T16:44:38,573][DEBUG][c.f.d.a.l.b.LDAPAuthorizationBackend] enabled ssl/tls protocols for ldaps [TLSv1.1, TLSv1.2]
[2017-07-24T16:44:38,574][DEBUG][c.f.d.a.l.b.LDAPAuthorizationBackend] bindDn cn=XXXXX,ou=XXXXX,ou=XXXXX,o=XXXXX,c=XXXXX, password ****
[2017-07-24T16:44:38,785][DEBUG][o.l.p.j.NamingExceptionUtils] naming exception class javax.naming.NamingException is ambiguous, maps to multiple result codes: [OPERATIONS_ERROR, ALIAS_PROBLEM, ALIAS_DEREFERENCING_PROBLEM, LOOP_DETECT, AFFECTS_MULTIPLE_DSAS, OTHER]
[2017-07-24T16:44:38,785][DEBUG][o.l.p.j.JndiStartTLSConnectionFactory] Error connecting to LDAP URL: ldaps://ldapserver:636
org.ldaptive.provider.ConnectionException: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090DE6, comment: TLS or SSL already in effect, data 0, v1771]; remaining name ''
config:
enable_ssl: true <====
enable_start_tls: true <====
enable_ssl_client_auth: true
verify_hostnames: false
hosts:
- ldapserver:636
[2017-07-21T09:40:49,955][DEBUG][o.l.p.j.JndiStartTLSConnectionFactory] Error connecting to LDAP URL: ldap://ldapserver:636
org.ldaptive.provider.ConnectionException: javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.
[2017-07-24T16:56:23,862][DEBUG][o.l.p.j.JndiConnectionFactory] Error connecting to LDAP URL: ldaps://ldapserver:636
org.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: ldapserver:636 [Root exception is javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.]
at org.ldaptive.provider.jndi.JndiConnectionFactory.createInternal(JndiConnectionFactory.java:88) ~[dlic-search-guard-authbackend-ldap-5.0-7-jar-with-dependencies.jar:?]
config:
...
enabled_ssl_protocols:
- "TLSv1"
- "TLSv1.1"
- "TLSv1.2"
{"user":"User [name=admin, roles=[]]","user_name":"admin","user_requested_tenant":null,"remote_address":"[::1]:56885","sg_roles":["sg_all_access","sg_own_index","sg_public"],"sg_tenants":{"test_tenant_ro":true,"admin":true,"adm_tenant":true},"principal":null,"peer_certificates":"0"}
# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "https://localhost:9200"
elasticsearch.ssl.verificationMode: none
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
searchguard.cookie.password: "XXXXXX"
searchguard.cookie.secure: true
######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
cluster.name: searchguard_demo
######## End Search Guard Demo Configuration ########
searchguard:
dynamic:
kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: '.kibana'
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
#trustedProxies: '.*' # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kibana_auth_domain:
enabled: true
order: 0
http_authenticator:
type:
basic
challenge: true
authentication_backend:
type: intern
basic_internal_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
ldap:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: true
verify_hostnames: false
hosts:
- XXXXXX:636
bind_dn: cn=XXXXXX,ou=XXXXXX,ou=XXXXXX,o=XXXXXX,c=XXXXXX
password: XXXXXX
userbase: 'o=XXXXXX,c=XXXXXX'
usersearch: '(cn={0})'
username_attribute: cn
enabled_ssl_protocols:
- "TLSv1"
- "TLSv1.1"
- "TLSv1.2"
sg_all_access:
users:
- admin
- eperpetuo