LDAP dont work over SSL

Hi, if i try to make it work without SSL and on the 389 it works correctly, but when i enable ssl it says incorrect credentials.

The following is my config:

authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: true
pemtrustedcas_filepath: “/etc/ssl/certs/ldap/ca.pem”
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “X.X.X:636”
bind_dn: “CN=X,OU=Service Accounts,OU=Accounts,DC=X,DC=X”
password: “X.”
userbase: “OU=Accounts,dc=X,dc=X”
usersearch: “(sAMAccountName={0})”
username_attribute: “uid”

authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “X.X.X:636”
bind_dn: “CN=X,OU=Service Accounts,OU=Accounts,DC=X,DC=X”
password: “X.”
userbase: “OU=Accounts,dc=X,dc=X”
usersearch: ‘(uid={0})’
username_attribute: uid
rolebase: “OU=X,dc=X,dc=X”
rolesearch: ‘(member={0})’
userroleattribute: null
resolve_nested_roles: true

Also, where can i find the ldap error log?

Regards,
Daniel D.

I’ve found the error. It is inside /var/log/elasticsearch/elasticsearch.log

[WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [node-1] Unable to connect to ldapserver X.X.X:636 due to java.security.AccessControlException: access denied (“java.io.FilePermission” “/etc/ssl/certs/ldap/ca.pem” “read”). Try next.

Even if i apply 777 and chown the kibana user it still down work though

Regards,
Daniel D.

FOUND THE PROBLEM.

Moving the certificate in the elastic folder instead of the /etc/ssl folder worked. Apparently elastic cant read the etc folder and throws an exception.

2 Likes