Ldap authentications fails (Unable to connect to ldapserver)

Hi, Having the below exception while OpenDistro trying to authenticate the LDAP server.

[2021-01-29T14:23:05,268][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [elastic] Unable to connect to ldapserver ldapserver.com:636 due to [org.ldaptive.provider.ConnectionException@1084532686::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: ldapservercom:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target], providerException=javax.naming.CommunicationException: ldapserver.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]. Try next.
[2021-01-29T14:23:05,270][WARN ][c.a.o.s.a.BackendRegistry] [elastic] Authentication finally failed for elastic from 192.168.0.1:52081

below is the config .yml have been using .

  ldap:
    description: "Authenticate via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: "basic"
      challenge: false
    authentication_backend:
      type: "ldap"
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
        - ldapserver.com:636
        bind_dn: "cn=xxx,ou=xxxx,o=xxxx"
        password: "xxxxxxx"
        userbase: "ou=xxxx,ou=xxxx,o=xxxx"
        enabled_ssl_protocols:
        - "TLSv1.2"
        pemtrustedcas_filepath: "cert/ssl/admin.pem"  
        usersearch: "(sAMAccountName={0})" 
        username_attribute: "uid"
authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: "ldap"
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
        - "ldapserver.com:636"
        bind_dn: "CN=xxxx,OU=xxx,O=xxx"
        password: "xxxxxxxxxxxxx"
        userbase: "OU=xxxx,OU=xxx,O=xxxx"
        usersearch: "(sAMAccountName={0})"
        username_attribute: "uid"
        enabled_ssl_protocols:
        - "TLSv1.2"
        pemtrustedcas_filepath: "cert/ssl/admin.pem"     
        rolebase: 'OU=xxxx,OU=xxxx,O=xxx'
        rolesearch: '(member={0})'
        userroleattribute: null
        userrolename: none
        rolename: cn
        resolve_nested_roles: false

That looks like a SSL cert error. Can you check your cert.

@tony , thanks for your response.

Is there any way that i can disable certificate verification with SSL set to true.

@vikasgurlinka There are a couple of things to check here. You can check if pem file listed under pemtrustedcas_filepath is the ca used to sign the cert from ldap side, as it needs to be.
Also try to place pem file directly in the config directory of elasticsearch, some versions can be finicky like that.
In order to switch off verification you can set “trust_all: true” under config in both sections (authc & authz).
If above fails, try to use the openssl to verify the certificate received from ldap using the available ca with below command:
“openssl verify -verbose -CAfile ca.pem cert.pem”

@Anthony Thanks for your response.

SSL cert error got resolved after changing the certificate. but, now i have issue Authentication finally failed for user. checked the connectivity and credentials, no firewall issues didn’t get exactly why authentication fails.

[2021-02-02T16:15:04,153][WARN ][c.a.o.s.a.BackendRegistry] [elastic-datanode-4] Authentication finally failed for elastic from 192.168.3.165:59506

@vikasgurlinka can you try to run ldapsearch:
ldapsearch -H ldap://: -D -W -b “cn=…,dc=…,dc=…” “(sAMAccountName=)”
If that works and information retrieved is as expected, can you try curl:
curl --insecure -u : -XGET https://<elasticsearch_ip>:/

@Anthony ldapsearch is working as expected and when i use curl it’s giving me unauthorized exception.

@vikasgurlinka You can increase the logging on that node to ‘debug’ (or even ‘trace’) by updating the log4j2.properties on your elastic-datanode-4, expect a lot of output however.
(rootLogger.level = debug)
Feel free to share results here, something might jump out.

@Anthony Thanks for your response, It was the issue with my user search base. LDAP authentication worked after changing it from (sAMAccountName={0}) to (uid={0})