We were able to enable SAML SSO and also authorization using roles in the token for the web application. While trying to setup backend AD bind for clients API calls, Elasticsearch logs the following error message where it seems to bind successfully with a service account but then tries to lookup an user “admin” in AD for which the authentication fails with “Invalid Credentials”. Elasticsearch is the only application that is started but all other apps including Kibana is down. Not sure where this user “admin” is being passed by the security plugin for AD authentication. Changed the users in internal_users.yml but still the plugin is searching for this ID in AD. Search filter from the security plugin is as follows where it is adding “admin” as parameter: execute request=[org.ldaptive.SearchRequest-763226490::baseDn=DC=CORPQA,DC=GEUC,DC=CORP,DC=GM,DC=COM, searchFilter=[org.ldaptive.SearchFilter-1879440157::filter=(sAMAccountName={0}), parameters={ 0=admin }] Error message: [2020-03-16T13:57:49,921][DEBUG][o.l.p.j.JndiConnectionFactory] [9200] Error connecting to LDAP URL: ldaps://ad-gc-mif-qa.xy.com:3269 org.ldaptive.provider.ConnectionException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580] Thanks Yogesh
Hello, was able to get both SAML and LDAP bind working. Had to chain auth domain and include internal_users.yml as well for the user “admin”. Rest all service accounts are authenticated against AD while end users use SAML SSO. Authorization is also working well.
I still have a question, is default user “admin” still needed in internal user database and not use through LDAP ? Can’t internal admin be disabled and only LDAP users be made admins ? Although LDAP users can be made Admins, this internal “admin” seems to be still needed. Please advise if there is a way to remove admin from internal user database. Removing internal auth domain is causing the above LDAP error as it seems be searching for user “admin” in LDAP.
@yogsbang Did you get this working?
You can disable the admin user by removing the admin user from internal_roles.yml file and re-uploading the config with securityadmin.sh script.
If its not working can you confirm which version of odfe you are using?