Authentication Failure

I used to OpenLDAP as my active directory and configure as below. But stille authentication is failed

    [2021-05-07T07:10:54,673][INFO ][stdout ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] [FINE] No subscribers registered for event class com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigFactory$NodesDnModelImpl

    [2021-05-07T07:10:54,674][INFO ][stdout ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] [FINE] No subscribers registered for event class org.greenrobot.eventbus.NoSubscriberEvent

    [2021-05-07T07:10:54,678][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing on REST API is enabled.

    [2021-05-07T07:10:54,682][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from REST API auditing.

    [2021-05-07T07:10:54,682][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing on Transport API is enabled.

    [2021-05-07T07:10:54,683][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from Transport API auditing.

    [2021-05-07T07:10:54,683][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing of request body is enabled.

    [2021-05-07T07:10:54,683][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Bulk requests resolution is disabled during request auditing.

    [2021-05-07T07:10:54,683][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Index resolution is enabled during request auditing.

    [2021-05-07T07:10:54,683][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Sensitive headers auditing is enabled.

    [2021-05-07T07:10:54,684][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing requests from kibanaserver users is disabled.

    [2021-05-07T07:10:54,684][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing of external configuration is disabled.

    [2021-05-07T07:10:54,684][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing of internal configuration is enabled.

    [2021-05-07T07:10:54,684][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing only metadata information for read request is enabled.

    [2021-05-07T07:10:54,684][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing will watch {} for read requests.

    [2021-05-07T07:10:54,685][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing read operation requests from kibanaserver users is disabled.

    [2021-05-07T07:10:54,685][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing only metadata information for write request is enabled.

    [2021-05-07T07:10:54,685][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing diffs for write requests is disabled.

    [2021-05-07T07:10:54,685][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing write operation requests from kibanaserver users is disabled.

    [2021-05-07T07:10:54,685][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Auditing will watch <NONE> for write requests.

    [2021-05-07T07:10:54,686][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] .opendistro_security is used as internal security index.

    [2021-05-07T07:10:54,686][INFO ][c.a.o.s.a.i.AuditLogImpl ] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Internal index used for posting audit logs is null

    [2021-05-07T07:11:41,667][WARN ][c.a.o.s.a.BackendRegistry] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Authentication finally failed for sthenuwara from 10.244.0.9:36820

    [2021-05-07T07:11:51,918][WARN ][c.a.o.s.a.BackendRegistry] [opendistro-es-1-1620361574-client-5d4654d449-crrrt] Authentication finally failed for sandun thenuwara from 10.244.0.9:3682


image

username_attribute and sAMAccountName seems a bit of to me. I got a feeling that username_atrribute is wrong and should be username_attribute: sAMAccountName. And that you should be able to log in with sthenuwara in that case.

Based on you error the issue should be in the authc section and not in authz

@oscark

no i am suffering with below error.

java.io.IOException: Invalid keystore format

[2021-05-09T16:08:47,460][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [opendistro-es-1-1620341125-client-5b8bc695c-zjx6s] Unable to connect to ldapserver ldap.lakshitha.com:2389 due to java.io.IOException: Invalid keystore format. Try next.

Hi @sandunl
It would appear that you have some unnecessary lines in your elasticsearch.yml file which are probably causing this error.
Can you share your elasticsearch.yml file (redact any sensitive details)?