Issue with LDAP login

subba · May 14, 2022, 7:18pm

I am seeing below errors when i try to login. Is there any way to ignore referrals

Could not follow referral to ldap://ForestDnsZones.EXAMPLE.com/DC=ForestDnsZones,DC=CORP,DC=EXAMPLE,DC=com
org.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: ForestDnsZones.EXAMPLE.com:389 [Root exception is java.net.ConnectException: Connection refused]
	at org.ldaptive.provider.jndi.JndiConnectionFactory.createInternal(JndiConnectionFactory.java:90) ~[ldaptive-1.2.3.jar:?]
	at org.ldaptive.provider.jndi.JndiConnectionFactory.createInternal(JndiConnectionFactory.java:21) ~[ldaptive-1.2.3.jar:?]
	at org.ldaptive.provider.AbstractProviderConnectionFactory.create(AbstractProviderConnectionFactory.java:84) ~[ldaptive-1.2.3.jar:?]
	at org.ldaptive.DefaultConnectionFactory$DefaultConnection.open(DefaultConnectionFactory.java:267) ~[ldaptive-1.2.3.jar:?]
	at org.ldaptive.referral.AbstractReferralHandler.followReferral(AbstractReferralHandler.java:156) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.referral.AbstractReferralHandler.handle(AbstractReferralHandler.java:221) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler.handle(SearchReferralHandler.java:268) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler.handle(SearchReferralHandler.java:155) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.AbstractOperation.executeHandlers(AbstractOperation.java:186) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.SearchOperation.readResult(SearchOperation.java:152) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:104) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) [ldaptive-1.2.3.jar:?]
	at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) [ldaptive-1.2.3.jar:?]
	at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:67) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:56) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at java.security.AccessController.doPrivileged(AccessController.java:554) [?:?]
	at com.amazon.dlic.auth.ldap.util.LdapHelper.search(LdapHelper.java:56) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.existsSearchingAllBases(LDAPAuthenticationBackend.java:258) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.exists(LDAPAuthenticationBackend.java:209) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.authenticate(LDAPAuthenticationBackend.java:89) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at org.opensearch.security.auth.BackendRegistry$9.call(BackendRegistry.java:674) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at org.opensearch.security.auth.BackendRegistry$9.call(BackendRegistry.java:668) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4875) [guava-25.1-jre.jar:?]
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3527) [guava-25.1-jre.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2276) [guava-25.1-jre.jar:?]
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2154) [guava-25.1-jre.jar:?]
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2044) [guava-25.1-jre.jar:?]
	at com.google.common.cache.LocalCache.get(LocalCache.java:3951) [guava-25.1-jre.jar:?]
	at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4870) [guava-25.1-jre.jar:?]
	at org.opensearch.security.auth.BackendRegistry.authcz(BackendRegistry.java:668) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at org.opensearch.security.auth.BackendRegistry.authenticate(BackendRegistry.java:471) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at org.opensearch.security.filter.SecurityRestFilter.checkAndAuthenticateRequest(SecurityRestFilter.java:188) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at org.opensearch.security.filter.SecurityRestFilter.access$000(SecurityRestFilter.java:72) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at org.opensearch.security.filter.SecurityRestFilter$1.handleRequest(SecurityRestFilter.java:123) [opensearch-security-1.2.3.0.jar:1.2.3.0]
	at org.opensearch.rest.RestController.dispatchRequest(RestController.java:306) [opensearch-1.2.3.jar:1.2.3]
	at org.opensearch.rest.RestController.tryAllHandlers(RestController.java:392) [opensearch-1.2.3.jar:1.2.3]
	at org.opensearch.rest.RestController.dispatchRequest(RestController.java:235) [opensearch-1.2.3.jar:1.2.3]
	at org.opensearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:361) [opensearch-1.2.3.jar:1.2.3]
	at org.opensearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:440) [opensearch-1.2.3.jar:1.2.3]
	at org.opensearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:351) [opensearch-1.2.3.jar:1.2.3]
	at org.opensearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:55) [transport-netty4-client-1.2.3.jar:1.2.3]
	at org.opensearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:41) [transport-netty4-client-1.2.3.jar:1.2.3]
	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at org.opensearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:71) [transport-netty4-client-1.2.3.jar:1.2.3]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324) [netty-codec-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296) [netty-codec-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) [netty-handler-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:620) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:583) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986) [netty-common-4.1.69.Final.jar:4.1.69.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.69.Final.jar:4.1.69.Final]
	at java.lang.Thread.run(Thread.java:832) [?:?]
Caused by: javax.naming.CommunicationException: ForestDnsZones.EXAMPLE.com:389
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:244) ~[?:?]
	at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:?]
	at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616) ~[?:?]
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2847) ~[?:?]
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) ~[?:?]
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225) ~[?:?]
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) ~[?:?]
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243) ~[?:?]
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) ~[?:?]
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) ~[?:?]
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:719) ~[?:?]
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) ~[?:?]
	at javax.naming.InitialContext.init(InitialContext.java:236) ~[?:?]
	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:?]
	at org.ldaptive.provider.jndi.JndiConnectionFactory.createInternal(JndiConnectionFactory.java:87) ~[ldaptive-1.2.3.jar:?]

pablo · May 16, 2022, 7:34am

@subba Could you share your config.yml? What IdP do you use for the LDAP?

pablo · June 21, 2022, 12:25pm

@subba Have you found a solution to this issue?

subba · October 14, 2022, 2:58am

Sorry for the late reply @pablo. The issue is not resolved. Below is the configuration

config.yml

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      internal_auth:
        order: 0
        description: "HTTP basic authentication using the internal user database"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      ldap_auth:
        order: 1
        description: "Authenticate using LDAP"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - ldap1.corp.EXAMPLE.com:389
            - ldap2.corp.EXAMPLE.com:389
            bind_dn: CN=Test,OU=Service Accounts,OU=Corporate,DC=CORP,DC=EXAMPLE,DC=com
            password: dfdfdd
            userbase: DC=CORP,DC=EXAMPLE,DC=com
            usersearch: (sAMAccountName={0})
            username_attribute: sAMAccountName

    authz:
      ldap_roles:
        description: "Authorize using LDAP"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - ldap1.corp.EXAMPLE.com:389
            - ldap2.corp.EXAMPLE.com:389
            bind_dn: CN=Test,OU=Service Accounts,OU=Corporate,DC=CORP,DC=EXAMPLE,DC=com
            password: dfdfdd
            userbase: DC=CORP,DC=EXAMPLE,DC=com
            usersearch: (sAMAccountName={0})
            username_attribute: sAMAccountName
            skip_users:
              - admin
              - kibanaserver
            rolebase: 'dc=corp,dc=EXAMPLE,dc=com'
            rolesearch: (member={0})
            userroleattribute: roles
            userrolename: "memberOf"
            rolename: cn
            resolve_nested_roles: true
            rolesearch_enabled: true

pablo · October 14, 2022, 4:27pm

@subba Is this CN=Test,OU=Service Accounts,OU=Corporate,DC=CORP,DC=EXAMPLE,DC=com user privileged to search DC=CORP,DC=EXAMPLE,DC=com?
This is a very wide range for users and groups search.

Did you test the bind_dn user with ldapsearch tool?

Also, try the below command.

curl --insecure -u <ldap_user> -XGET https://<opensearch_node_IP_or_FQDN>:9200/_plugins/_security/authinfo?pretty

subba · October 18, 2022, 3:29am

@pablo Looks like issue resolved after i use the port 3268 instead of 389 for ldap server. Now I don’t see the ldap query against ForestDnsZones servers. Now authentication working.

Still trying to figure out authorization part

pablo · October 18, 2022, 8:04am

@subba Do you have any issues with authorisation?

Topic		Replies	Views
LDAP authz warns with "In order to perform this operation a successful bind must be completed on the connection" Security	2	1162	May 14, 2021
User lost permissions after LDAP connection error Security	1	530	April 12, 2021
Errors when authorizing users via 2 LDAP backends OpenSearch troubleshoot , configure	3	278	July 24, 2023
LDAP, allow only one security group to log Security	4	605	December 2, 2021
LDAP user getting missing role error, then able to login successfully 1 hour later Security	3	106	March 25, 2024

Issue with LDAP login

Related Topics