LDAP authz warns with "In order to perform this operation a successful bind must be completed on the connection"

Security
1

Even though authc and authz appear to be working, we are getting the following lengthy warnings in the logs a handful of times whenever loading the backend roles from LDAP:

    [2019-11-20T16:36:12,475][WARN ][o.l.r.SearchReferralHandler] [es1] Could not follow referral to ldaps://<valid ldap domain>/<valid subtree>
org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1^@]; remaining name '<valid subtree from ldap uri>'
        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.initialize(JndiConnection.java:741) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection.search(JndiConnection.java:463) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:103) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.referral.AbstractReferralHandler.followReferral(AbstractReferralHandler.java:160) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.referral.AbstractReferralHandler.handle(AbstractReferralHandler.java:221) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler.handle(SearchReferralHandler.java:268) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler.handle(SearchReferralHandler.java:155) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.AbstractOperation.executeHandlers(AbstractOperation.java:186) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.readResult(SearchOperation.java:152) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:104) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) [ldaptive-1.2.3.jar:?]
        at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) [ldaptive-1.2.3.jar:?]
        at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:67) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at com.amazon.dlic.auth.ldap.util.LdapHelper$1.run(LdapHelper.java:56) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at java.security.AccessController.doPrivileged(Native Method) [?:?]
        at com.amazon.dlic.auth.ldap.util.LdapHelper.search(LdapHelper.java:56) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.existsSearchingAllBases(LDAPAuthenticationBackend.java:275) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend.exists(LDAPAuthenticationBackend.java:228) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        at com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend.fillRoles(LDAPAuthorizationBackend.java:646) [opendistro_security_advanced_modules-1.2.1.0.jar:1.2.1.0]
        ...

Our security config’s authz section is as follows:

authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap
      config:
        enable_ssl: true
        enable_start_tls: false # needs to be opposite of enable_ssl
        enable_ssl_client_auth: false
        enabled_ssl_protocols:
        - "TLSv1"
        - "TLSv1.1"
        - "TLSv1.2"            
        verify_hostnames: false
        hosts:
        - <dns host 1>
        - <dns host 2>
        - <dns host 3>
        bind_dn: "<a valid DN>"
        password: "<password>"
        rolebase: '<corporate tree>'
        rolesearch: "(&(member:1.2.840.113556.1.4.1941:={0})(name=<logs groups prefix>*))"
        userroleattribute: null
        userrolename: disabled
        rolename: SamAccountName
        resolve_nested_roles: false # nesting is handled in the rolesearch, as odfe is super slow in fetching each nested role
        userbase: '<corporate tree>'
        usersearch: '(UserPrincipalName={0})'
        username_attribute: SamAccountName
        custom_attr_maxval_len: 0
        skip_users:
        - admin
        - fluentd
        - kibanaserver
        - curator

We are running docker image amazon/opendistro-for-elasticsearch:1.2.1.

Also, we get these warnings whether authc is done via SAML or LDAP.

2

I’m seeing the same thing. Although it my case authorization is not working correctly because not all of the needed groups are being found for the users.

3

@rossbeehler Are you still seeing this error? If so, can you confirm which version of odfe you are using?