LDAP auth with STARTTLS not working

Security
1

my configuration:

     ldap:
       description: "Authenticate via LDAP or Active Directory"
       http_enabled: true
       transport_enabled: true
       order: 1
       http_authenticator:
         type: basic
         challenge: false
       authentication_backend:
         # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
         type: ldap
         config:
           # enable ldaps
           enable_ssl: false
           # enable start tls, enable_ssl should be false
           enable_start_tls: true
           # send client certificate
           enable_ssl_client_auth: false
           # verify ldap hostname
           verify_hostnames: true
           hosts:
           - oldap.blabla.com:389
           bind_dn: cn=ldap_bind_account,dc=blabla,dc=com
           password: somepass
           userbase: 'ou=People,dc=blabla,dc=com'
           # Filter to search for users (currently in the whole subtree beneath userbase)
           # {0} is substituted with the username
           usersearch: '(uid={0})'
           # Use this attribute from the user as username (if not set then DN is used)
           username_attribute: uid
           pemtrustedcas_filepath: /etc/elasticsearch/certs/root-ca-digi.pem

But it doesn’t work.

And apparently it doesn’t work because it does the bind BEFORE starttls and it’s lost.

LDAP logs:

Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=0 BIND dn="cn=ldap_bind_account,dc=blabla,dc=com" method=128
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=0 BIND dn="cn=ldap_bind_account,dc=blabla,dc=com" mech=SIMPLE ssf=0
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=0 RESULT tag=97 err=0 text=
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=1 EXT oid=1.3.6.1.4.1.1466.20037
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=1 STARTTLS
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=1 **AUTHZ anonymous** mech=starttls ssf=0
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=1 RESULT oid= err=0 text=
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 fd=98 TLS established tls_ssf=256 ssf=256
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=2 SRCH base="ou=People,dc=blabla,dc=com" scope=2 deref=3 filter="(uid=admin)"
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=2 SRCH attr=* +
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=2 SEARCH RESULT tag=101 err=53 nentries=0 **text=authentication required**
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=3 UNBIND
Jun  2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 fd=98 closed

So apparently the binding is lost and it see it as anonymous

How do i fix this?
Thanks.

2

Hello @astateofmind

Can you authenticate successfully with that config?
What is your LDAP solution?

3

OpenLDAP.

I use it to authenticate to all my servers (sssd) so it’s functional in that configuration.

The difference between sssd and oss appears to be this line in the logs:
" AUTHZ anonymous mech=starttls ssf=0" and anonymous auth is disabled in my ldap config.

sssd does an extra BIND after starttls and after
SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required

4

@astateofmind

Do you get any errors in ES during authentication?

I have start_tls working with my MS AD 2019. However, I had to add below to config.yml as my AD is using a self-signed cert.

pemtrustedcas_filepath: “certificate.crt”

I’ll check if I can get OpenLDAP working.

5

Set the level to debug and this is what i get in the ES log:

Sorry if it is too long and still had to remove some parts to be able to post it …


[2021-06-05T17:24:10,842][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] Cannot authenticate rest user USER (or add roles) with authdomain internal/1 of [AuthDomain [backend=com.amazon.opendistroforelasticsearch.security.auth.internal.InternalAuthenticationBackend@6d387e9b, httpAuthenticator=com.amazon.opendistroforelasticsearch.security.http.HTTPBasicAuthenticator@645257a, order=1, challenge=true], AuthDomain [backend=com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend@624134f0, httpAuthenticator=com.amazon.opendistroforelasticsearch.security.http.HTTPBasicAuthenticator@63e84ebf, order=2, challenge=false]], try next
[2021-06-05T17:24:10,842][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] Check authdomain for rest ldap/2 or 2 in total
[2021-06-05T17:24:10,852][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] verifyHostname true:
[2021-06-05T17:24:10,852][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] trustall false:
[2021-06-05T17:24:10,852][DEBUG][c.a.o.s.s.PemKeyReader   ] [node-1] Path is is /etc/elasticsearch/certs/root-ca-digi.pem
[2021-06-05T17:24:10,853][DEBUG][c.a.o.s.s.PemKeyReader   ] [node-1] Resolved /etc/elasticsearch/certs/root-ca-digi.pem to /etc/elasticsearch/certs/root-ca-digi.pem against /etc/elasticsearch
[2021-06-05T17:24:10,863][DEBUG][c.a.o.s.s.PemKeyReader   ] [node-1] Path is is null
[2021-06-05T17:24:10,864][DEBUG][c.a.o.s.s.PemKeyReader   ] [node-1] Path is is null
[2021-06-05T17:24:10,865][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] Use PEM to secure communication with LDAP server (client auth is false)
[2021-06-05T17:24:10,866][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] enabled ssl/tls protocols for ldaps [TLSv1.3, TLSv1.2]
[2021-06-05T17:24:10,866][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] Connect timeout: PT5S/ResponseTimeout: PT0S
[2021-06-05T17:24:10,866][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] bindDn cn=ldap_bind_account,dc=blabla,dc=com, password ****
[2021-06-05T17:24:10,866][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] Will perform simple bind with bind dn
[2021-06-05T17:24:10,982][DEBUG][o.l.s.AggregateTrustManager] [node-1] checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@1a6fbf89 succeeded
[2021-06-05T17:24:10,982][DEBUG][o.l.s.AggregateTrustManager] [node-1] invoking getAcceptedIssuers for sun.security.ssl.X509TrustManagerImpl@1a6fbf89
[2021-06-05T17:24:11,040][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] Opened a connection, total count is now 1
[2021-06-05T17:24:11,051][DEBUG][o.l.SearchOperation      ] [node-1] execute request=[org.ldaptive.SearchRequest@-1928768266::baseDn=ou=People,dc=blabla,dc=com, searchFilter=[org.ldaptive.SearchFilter@-1770077014::filter=(uid={0}), parameters={0=USER}], returnAttributes=[*, +], searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=ALWAYS, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@7879e4ac], controls=null, referralHandler=org.ldaptive.referral.SearchReferralHandler@199b43ae, intermediateResponseHandlers=null] with connection=com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend$4@2ef098b5
[2021-06-05T17:24:11,066][DEBUG][o.l.p.j.NamingExceptionUtils] [node-1] naming exception class javax.naming.OperationNotSupportedException is ambiguous, maps to multiple result codes: [UNAVAILABLE_CRITICAL_EXTENSION, UNWILLING_TO_PERFORM]
[2021-06-05T17:24:11,068][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] Closed a connection, total count is now 0
[2021-06-05T17:24:11,068][DEBUG][c.a.d.a.l.b.LDAPAuthenticationBackend] [node-1] Unable to authenticate user due to
org.ldaptive.LdapException: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com'
        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.initialize(JndiConnection.java:741) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection.search(JndiConnection.java:463) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:103) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) ~[ldaptive-1.2.3.jar:?]
        at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:67) ~[opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:56) ~[opendistro_security-1.13.1.0.jar:1.13.1.0]
        at java.security.AccessController.doPrivileged(AccessController.java:554) ~[?:?]
        at com.amazon.dlic.auth.ldap.util.LdapHelper.search(LdapHelper.java:56) ~[opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.existsSearchingAllBases(LDAPAuthenticationBackend.java:259) ~[opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.exists(LDAPAuthenticationBackend.java:212) ~[opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:89) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry$9.call(BackendRegistry.java:671) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry$9.call(BackendRegistry.java:664) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4875) [guava-25.1-jre.jar:?]
        at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3527) [guava-25.1-jre.jar:?]
        at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2276) [guava-25.1-jre.jar:?]
        at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2154) [guava-25.1-jre.jar:?]
        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2044) [guava-25.1-jre.jar:?]
        at com.google.common.cache.LocalCache.get(LocalCache.java:3951) [guava-25.1-jre.jar:?]
        at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4870) [guava-25.1-jre.jar:?]
        at com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.authcz(BackendRegistry.java:664) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.authenticate(BackendRegistry.java:470) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter.checkAndAuthenticateRequest(OpenDistroSecurityRestFilter.java:177) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter.access$000(OpenDistroSecurityRestFilter.java:66) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter$1.handleRequest(OpenDistroSecurityRestFilter.java:113) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:258) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:340) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:191) [elasticsearch-7.10.2.jar:7.10.2]
        at com.amazon.opendistroforelasticsearch.security.ssl.http.netty.ValidatingDispatcher.dispatchRequest(ValidatingDispatcher.java:63) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:319) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:384) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:309) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:42) [transport-netty4-client-7.10.2.jar:7.10.2]
        at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:28) [transport-netty4-client-7.10.2.jar:7.10.2]
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:58) [transport-netty4-client-7.10.2.jar:7.10.2]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1518) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:615) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:578) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.49.Final.jar:4.1.49.Final]
        at java.lang.Thread.run(Thread.java:832) [?:?]
Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3332) ~[?:?]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205) ~[?:?]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996) ~[?:?]
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875) ~[?:?]
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798) ~[?:?]
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) ~[?:?]
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) ~[?:?]
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) ~[?:?]
        at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.search(JndiConnection.java:807) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.initialize(JndiConnection.java:735) ~[ldaptive-1.2.3.jar:?]
        ... 89 more
[2021-06-05T17:24:11,075][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] Can not authenticate USER due to com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[[org.ldaptive.LdapException@1988524820::resultCode=UNWILLING_TO_PERFORM, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com', providerException=javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com']]; nested: LdapException[javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com']; nested: OperationNotSupportedException[[LDAP: error code 53 - authentication required]];
com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[[org.ldaptive.LdapException@1988524820::resultCode=UNWILLING_TO_PERFORM, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com', providerException=javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com']]; nested: LdapException[javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com']; nested: OperationNotSupportedException[[LDAP: error code 53 - authentication required]];
        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050) ~[guava-25.1-jre.jar:?]
        at com.google.common.cache.LocalCache.get(LocalCache.java:3951) ~[guava-25.1-jre.jar:?]
        at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4870) ~[guava-25.1-jre.jar:?]
        at com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.authcz(BackendRegistry.java:664) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.authenticate(BackendRegistry.java:470) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter.checkAndAuthenticateRequest(OpenDistroSecurityRestFilter.java:177) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter.access$000(OpenDistroSecurityRestFilter.java:66) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter$1.handleRequest(OpenDistroSecurityRestFilter.java:113) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:258) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:340) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:191) [elasticsearch-7.10.2.jar:7.10.2]
        at com.amazon.opendistroforelasticsearch.security.ssl.http.netty.ValidatingDispatcher.dispatchRequest(ValidatingDispatcher.java:63) [opendistro_security-1.13.1.0.jar:1.13.1.0]
        at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:319) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:384) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:309) [elasticsearch-7.10.2.jar:7.10.2]
        at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:42) [transport-netty4-client-7.10.2.jar:7.10.2]
        at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:28) [transport-netty4-client-7.10.2.jar:7.10.2]
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:58) [transport-netty4-client-7.10.2.jar:7.10.2]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1518) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
....
        at java.lang.Thread.run(Thread.java:832) [?:?]
Caused by: org.elasticsearch.ElasticsearchSecurityException: [org.ldaptive.LdapException@1988524820::resultCode=UNWILLING_TO_PERFORM, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com', providerException=javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=People,dc=blabla,dc=com']
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:138) ~[opendistro_security-1.13.1.0.jar:1.13.1.0]
...
        ... 70 more
Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3332) ~[?:?]
...
        ... 70 more
[2021-06-05T17:24:11,080][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] Cannot authenticate rest user USER (or add roles) with authdomain ldap/2 of [AuthDomain [backend=com.amazon.opendistroforelasticsearch.security.auth.internal.InternalAuthenticationBackend@6d387e9b, httpAuthenticator=com.amazon.opendistroforelasticsearch.security.http.HTTPBasicAuthenticator@645257a, order=1, challenge=true], AuthDomain [backend=com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend@624134f0, httpAuthenticator=com.amazon.opendistroforelasticsearch.security.http.HTTPBasicAuthenticator@63e84ebf, order=2, challenge=false]], try next
[2021-06-05T17:24:11,080][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] User still not authenticated after checking 2 auth domains
6

@astateofmind

In bind_dn you’ve configured “cn=ldap_bind_account,dc=blabla,dc=com”
However, in userbase you’re using “ou=People,dc=blabla,dc=com”. Do you have users in OU People?
Could you try to change your userbase to “dc=blabla,dc=com” ?

7

All my users are in the People OU, with the exception of the users i use for ldap admin and ldap binds which are in the root dc.

But as I said, the main error seems to be “LDAP: error code 53 - authentication required”.

And judging by the LDAP log the search is done with anonymous, which shouldn’t happen.

With the user base in dc=blabla,dc=com:

Jun  5 11:45:23 OpenLDAP-01 slapd[10836]: conn=14001 fd=227 ACCEPT from IP=elk_ip:43250 (IP=0.0.0.0:389)
Jun  5 11:45:23 OpenLDAP-01 slapd[10836]: conn=14001 op=0 BIND dn="cn=ldap_bind_account,dc=arrisassurance,dc=com" method=128
Jun  5 11:45:23 OpenLDAP-01 slapd[10836]: conn=14001 op=0 BIND dn="cn=ldap_bind_account,dc=arrisassurance,dc=com" mech=SIMPLE ssf=0
Jun  5 11:45:23 OpenLDAP-01 slapd[10836]: conn=14001 op=0 RESULT tag=97 err=0 text=
Jun  5 11:45:23 OpenLDAP-01 slapd[10836]: conn=14001 op=1 EXT oid=1.3.6.1.4.1.1466.20037
Jun  5 11:45:23 OpenLDAP-01 slapd[10836]: conn=14001 op=1 STARTTLS
Jun  5 11:45:23 OpenLDAP-01 slapd[10836]: conn=14001 op=1 AUTHZ anonymous mech=starttls ssf=0
Jun  5 11:45:23 OpenLDAP-01 slapd[10836]: conn=14001 op=1 RESULT oid= err=0 text=
Jun  5 11:45:24 OpenLDAP-01 slapd[10836]: conn=14001 fd=227 TLS established tls_ssf=256 ssf=256
Jun  5 11:45:24 OpenLDAP-01 slapd[10836]: conn=14001 op=2 SRCH base="dc=blabla,dc=com" scope=2 deref=3 filter="(uid=USER)"
Jun  5 11:45:24 OpenLDAP-01 slapd[10836]: conn=14001 op=2 SRCH attr=* +
Jun  5 11:45:24 OpenLDAP-01 slapd[10836]: conn=14001 op=2 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required
Jun  5 11:45:24 OpenLDAP-01 slapd[10836]: conn=14001 op=3 UNBIND
Jun  5 11:45:24 OpenLDAP-01 slapd[10836]: conn=14001 fd=227 closed

This line AUTHZ anonymous mech=starttls ssf=0 seems to be the problem.

8

For another connection i have:

Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 fd=36 ACCEPT from IP=some_ip:1024 (IP=0.0.0.0:389)
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=0 STARTTLS
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=0 RESULT oid= err=0 text=
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 fd=36 TLS established tls_ssf=256 ssf=256
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=1 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=2 BIND dn="cn=ldap_bind_account,dc=blabla,dc=com" method=128
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=2 BIND dn="cn=ldap_bind_account,dc=blabla,dc=com" mech=SIMPLE ssf=0
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=2 RESULT tag=97 err=0 text=
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=3 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=3 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Jun  5 11:50:51 OpenLDAP-01 slapd[10836]: conn=14136 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=

The BIND is done after the auth is requested and there is no AUTHZ anonymous line …

Not sure if that’s the problem but it looks like it :slight_smile:

Is your OPENLdap working with starttls?

9

@astateofmind

I’m not using OpenLDAP. I’m working with MS AD 2019 where strattls works just fine.
I’ll try to setup OpenLDAP and test it as it’s quite interesting that it doesn’t work for you.

The config.yml you’ve shared has only one authc section. Did you configure authz in config.yml?

10

Nope.

I mean I tried with that enabled as well and didn’t work so then I disabled the authz. I’m interested in first getting authenticated and then mapping groups to roles …

11

@astateofmind

I have OpenLDAP and ODFE 1.13.1 working but without TLS. I can successfully authenticate. In my case, I’m using Kibana to authenticate with ES.

Looking at your logs I’ve found that your search is against uid.

Jun 2 13:37:39 OpenLDAP-01 slapd[4078]: conn=17443 op=2 SRCH base="ou=People,dc=blabla,dc=com" scope=2 deref=3 filter="(uid=admin)"

Mine use cn instead.

openldap | 60bbe00d conn=1169 op=1 SRCH base=“cn=ldapuser1,ou=People,dc=example,dc=org” scope=0 deref=3 filter=“(objectClass=*)”

I’ll test TLS later. Did authentication work without TLS or SSL for you?

12

Didn’t try without TLS.

I think that the problem is due my access list:

olcAccess: to * by self write by anonymous auth by dn.base="cn=ldapadm,dc=blabla,dc=com" write by group/GroupOfNames/member="cn=ldap-admins,ou=Groups,dc=blabla,dc=com" write by dn.exact="cn=ldap_bind_account,dc=blabla,dc=com" read by * none

anonymous is not allowed to read, can you try with a similar acl that denies anonymous access and requires it to auth?

but since i have set a bind username and password then it shouldn’t try with anonymous … and that’s I think the main problem.

Even after deleting the Access rule it still doesn’t work :frowning:

Another connection:

Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 fd=62 ACCEPT from IP=ip:9216 (IP=0.0.0.0:389)
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=0 STARTTLS
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=0 RESULT oid= err=0 text=
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 fd=62 TLS established tls_ssf=256 ssf=256
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=1 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=2 BIND dn="cn=ldap_bind_account,dc=blabla,dc=com" method=128
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=2 BIND dn="cn=ldap_bind_account,dc=blabla,dc=com" mech=SIMPLE ssf=0
Jun  5 16:22:50 OpenLDAP-01 slapd[21214]: conn=1271 op=2 RESULT tag=97 err=0 text=

As you can see after “auth required” the SSSD client does a BIND while opendistro just does an unbind …

Ok, I did some diggings and I think these 2 settings are to blame:

olcDisallows: bind_anon
olcRequires: authc

but since these 2 settings are there to increase security it’s weird to break LDAP connection.

ok, the way it works:

Remove from my ldap config

olcDisallows: bind_anon
olcRequires: authc

And remove the Access list. from my ldap config.

Which basically permits read access to the anonymous user on my ldap directory.

NOT acceptable :frowning:

And i think that all is related to the command “op=1 AUTHZ anonymous mech=starttls ssf=0”

13

Is there a way to report this as a bug or something?

14

Interesting enough it works with enable_ssl but it DOESN’T work with enable_start_tls.

So with enable_ssl everything works great. I have 2 levels - admin and read only, and have those mapped in wazuh as well, working as expected.

Clearly there is a bug somewhere in the plugin for start_tls …

15

@astateofmind

Just tested OpenSearch 1.0.1 with OpenLDAP. I’ve got successfully authenticated with StartTLS enabled.

https://github.com/opensearch-project/security/pull/1415