Even though authc and authz appear to be working, we are getting the following lengthy warnings in the logs a handful of times whenever loading the backend roles from LDAP:
[2019-11-20T16:36:12,475][WARN ][o.l.r.SearchReferralHandler] [es1] Could not follow referral to ldaps://<valid ldap domain>/<valid subtree>
org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name '<valid subtree from ldap uri>'
at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55) ~[ldaptive-1.2.3.jar:?]
at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619) ~[ldaptive-1.2.3.jar:?]
at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.initialize(JndiConnection.java:741) ~[ldaptive-1.2.3.jar:?]
at org.ldaptive.provider.jndi.JndiConnection.search(JndiConnection.java:463) ~[ldaptive-1.2.3.jar:?]
at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:103) ~[ldaptive-1.2.3.jar:?]
at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) ~[ldaptive-1.2.3.jar:?]
at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) ~[ldaptive-1.2.3.jar:?]
at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) ~[ldaptive-1.2.3.jar:?]
at org.ldaptive.referral.AbstractReferralHandler.followReferral(AbstractReferralHandler.java:160) [ldaptive-1.2.3.jar:?]
at org.ldaptive.referral.AbstractReferralHandler.handle(AbstractReferralHandler.java:221) [ldaptive-1.2.3.jar:?]
at org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler.handle(SearchReferralHandler.java:268) [ldaptive-1.2.3.jar:?]
at org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler.handle(SearchReferralHandler.java:155) [ldaptive-1.2.3.jar:?]
at org.ldaptive.AbstractOperation.executeHandlers(AbstractOperation.java:186) [ldaptive-1.2.3.jar:?]
at org.ldaptive.SearchOperation.readResult(SearchOperation.java:152) [ldaptive-1.2.3.jar:?]
at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:104) [ldaptive-1.2.3.jar:?]
at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) [ldaptive-1.2.3.jar:?]
at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) [ldaptive-1.2.3.jar:?]
at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) [ldaptive-1.2.3.jar:?]
at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:67) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:56) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
at java.security.AccessController.doPrivileged(Native Method) [?:?]
at com.amazon.dlic.auth.ldap.util.LdapHelper.search(LdapHelper.java:56) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.existsSearchingAllBases(LDAPAuthenticationBackend.java:275) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.exists(LDAPAuthenticationBackend.java:228) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
at com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend.fillRoles(LDAPAuthorizationBackend.java:646) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
...
Our security config’s authz section is as follows:
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false # needs to be opposite of enable_ssl
enable_ssl_client_auth: false
enabled_ssl_protocols:
- "TLSv1"
- "TLSv1.1"
- "TLSv1.2"
verify_hostnames: false
hosts:
- <dns host 1>
- <dns host 2>
- <dns host 3>
bind_dn: "<a valid DN>"
password: "<password>"
rolebase: '<corporate tree>'
rolesearch: "(&(member:1.2.840.113556.1.4.1941:={0})(name=<logs groups prefix>*))"
userroleattribute: null
userrolename: disabled
rolename: SamAccountName
resolve_nested_roles: false # nesting is handled in the rolesearch, as odfe is super slow in fetching each nested role
userbase: '<corporate tree>'
usersearch: '(UserPrincipalName={0})'
username_attribute: SamAccountName
custom_attr_maxval_len: 0
skip_users:
- admin
- fluentd
- kibanaserver
- curator
We are running docker image amazon/opendistro-for-elasticsearch:1.2.1.
Also, we get these warnings whether authc is done via SAML or LDAP.