LDAP: error code 49 - Invalid Credentials

Hi experts,

This is the first time I try to configure Open Distro with LDAP. I have done it before with XPath.

I did all the configuration in config.yml as following and LDAP as well, but I’m getting error:

[2020-12-07T17:36:53,577][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [ubuntu-VirtualBox] Unable to connect to ldapserver openldap:389 due to [org.ldaptive.provider.ConnectionException@787625818::resultCode=INVALID_CREDENTIALS, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials], providerException=javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]. Try next.
[2020-12-07T17:36:53,577][WARN ][c.a.o.s.a.BackendRegistry] [ubuntu-VirtualBox] Authentication finally failed for linus from 127.0.0.1:35654

I think the password encrypted by Open Distro doesn’t match the way it is encrypted in OpenLDAP. It is my guess.

I encrypted the password in OpenLDAP with the command:

slappasswd -h {SHA} -s my_secret_password

The openLDAP LDIF:

dn: dc=portoseguro,dc=BR
objectClass: dcObject
objectClass: organization
objectClass: top
dc: portoseguro
o: portoseguro.BR

dn: cn=admin,dc=portoseguro,dc=BR
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: top
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9MWNZNFB0a01uT015dTllNnZFQUJPQnZyeW4vTzk3cWg=

dn: ou=people,dc=portoseguro,dc=BR
objectClass: organizationalUnit
objectClass: top
ou: People

dn: uid=john,ou=people,dc=portoseguro,dc=BR
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
cn: John Dee
gidNumber: 10001
givenName: John
homeDirectory: /home/john
loginShell: /bin/bash
mail:
sn: Dee
uid: john
uidNumber: 10001
userPassword:: e1NIQX1wUjNhZkgvMUMySHE2Z1JFTng5S2FwTUI1UUU9

dn: uid=janet,ou=people,dc=portoseguro,dc=BR
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
cn: Janet Jackson
gidNumber: 10000
givenName: janet
homeDirectory: /home/janet
loginShell: /bin/bash
mail:
sn: Jackson
uid: janet
uidNumber: 10000
userPassword:: e1NIQX0yU3dubDc4QXhwZGdjbXRGbmpiUmxCd3Ric2M9

dn: uid=linus,ou=people,dc=portoseguro,dc=BR
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
cn: Linus Torvald
gidNumber: 10002
givenName: Linus
homeDirectory: /home/linus
loginShell: /bin/bash
mail:
sn: Torvald
uid: linus
uidNumber: 10002
userPassword:: bGludXM=

dn: uid=kibanaserver,ou=people,dc=portoseguro,dc=BR
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
cn: kibanaserver
gidNumber: 10003
givenName: kibanaserver
homeDirectory: /home/kibanaserver
loginShell: /bin/bash
sn: kibanaserver
uid: kibanaserver
uidNumber: 10003
userPassword:: e1NTSEF9SWRzS1NlUnJTK0xJREx3ckFkUnJQei91M0phVGNwbmI=

dn: ou=grouprole,dc=portoseguro,dc=BR
objectClass: organizationalUnit
objectClass: top
ou: Groups
ou: grouprole

dn: cn=elastic.user,ou=grouprole,dc=portoseguro,dc=BR
objectClass: groupOfNames
objectClass: top
cn: elastic.user
description: “Grupo dos Usuarios do Elasticsearch”
member: uid=john,ou=people,dc=portoseguro,dc=BR
member: uid=janet,ou=people,dc=portoseguro,dc=BR

dn: cn=elastic.admin,ou=grouprole,dc=portoseguro,dc=BR
objectClass: groupOfNames
objectClass: top
cn: elastic.admin
description: “Grupo dos Administradores do Elasticsearch”
member: uid=linus,ou=people,dc=portoseguro,dc=BR

dn: cn=kibana_read_only,ou=grouprole,dc=portoseguro,dc=BR
objectClass: groupOfNames
objectClass: top
cn: kibana_read_only
description: “Grupo dos Usuarios Kibana”
member: uid=kibanaserver,ou=people,dc=portoseguro,dc=BR

The Open Distro config.yml


_meta:
type: “config”
config_version: 2

config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
internal_auth:
order: 0
description: “HTTP basic authentication using the internal user database”
http_enabled: true
transport_enabled: true
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
ldap_auth:
order: 1
description: “Authenticate using LDAP”
http_enabled: true
transport_enabled: true
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- openldap:389
bind_dn: cn=readonly,dc=example,dc=org
password: changethistoo
userbase: ou=People,dc=example,dc=org
usersearch: (cn={0})
username_attribute: cn

authz:
  ldap_roles:
    description: "Authorize using LDAP"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap
      config:
        enable_ssl: false
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
        - openldap:389
        bind_dn: cn=admin,dc=portoseguro,dc=BR
        password: admin
        userbase: ou=people,dc=portoseguro,dc=BR
        usersearch: (uid={0})
        username_attribute: cn
        skip_users:
          - admin
          - kibanaserver
        rolebase: ou=grouprole,dc=portoseguro,dc=BR
        rolesearch: (member={0})
        userroleattribute: null
        userrolename: disabled
        rolename: cn
        resolve_nested_roles: false

Thank you,
Samuel Lima

I find it weird that you use a different user in your authz and authc . I’m guessing that authc is wrongly configured. I would also verify manually that your ldap accounts actually have correct password configured https://stackoverflow.com/questions/16247552/easy-way-to-test-an-ldap-users-credentials

1 Like

Hi Oscark,

You are right!
I’ve made this mistake.
The configuration was right and after I corrected the user it worked.
Sometimes I forgot to run the securityadmin.sh and that’s way I’ve made so many mistakes which made me insecure even when I was so close to do it right.

Thank you.

1 Like