LDAP authz warns with "In order to perform this operation a successful bind must be completed on the connection"

Even though authc and authz appear to be working, we are getting the following lengthy warnings in the logs a handful of times whenever loading the backend roles from LDAP:

    [2019-11-20T16:36:12,475][WARN ][o.l.r.SearchReferralHandler] [es1] Could not follow referral to ldaps://<valid ldap domain>/<valid subtree>
org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name '<valid subtree from ldap uri>'
        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.initialize(JndiConnection.java:741) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection.search(JndiConnection.java:463) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:103) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.referral.AbstractReferralHandler.followReferral(AbstractReferralHandler.java:160) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.referral.AbstractReferralHandler.handle(AbstractReferralHandler.java:221) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler.handle(SearchReferralHandler.java:268) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler.handle(SearchReferralHandler.java:155) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.AbstractOperation.executeHandlers(AbstractOperation.java:186) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.readResult(SearchOperation.java:152) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:104) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) [ldaptive-1.2.3.jar:?]
        at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:67) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:56) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at java.security.AccessController.doPrivileged(Native Method) [?:?]
        at com.amazon.dlic.auth.ldap.util.LdapHelper.search(LdapHelper.java:56) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.existsSearchingAllBases(LDAPAuthenticationBackend.java:275) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.exists(LDAPAuthenticationBackend.java:228) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend.fillRoles(LDAPAuthorizationBackend.java:646) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        ...

Our security config’s authz section is as follows:

authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap
      config:
        enable_ssl: true
        enable_start_tls: false # needs to be opposite of enable_ssl
        enable_ssl_client_auth: false
        enabled_ssl_protocols:
        - "TLSv1"
        - "TLSv1.1"
        - "TLSv1.2"            
        verify_hostnames: false
        hosts:
        - <dns host 1>
        - <dns host 2>
        - <dns host 3>
        bind_dn: "<a valid DN>"
        password: "<password>"
        rolebase: '<corporate tree>'
        rolesearch: "(&(member:1.2.840.113556.1.4.1941:={0})(name=<logs groups prefix>*))"
        userroleattribute: null
        userrolename: disabled
        rolename: SamAccountName
        resolve_nested_roles: false # nesting is handled in the rolesearch, as odfe is super slow in fetching each nested role
        userbase: '<corporate tree>'
        usersearch: '(UserPrincipalName={0})'
        username_attribute: SamAccountName
        custom_attr_maxval_len: 0
        skip_users:
        - admin
        - fluentd
        - kibanaserver
        - curator

We are running docker image amazon/opendistro-for-elasticsearch:1.2.1.

Also, we get these warnings whether authc is done via SAML or LDAP.

I’m seeing the same thing. Although it my case authorization is not working correctly because not all of the needed groups are being found for the users.

@rossbeehler Are you still seeing this error? If so, can you confirm which version of odfe you are using?