Graylog2-server: LDAP Authentication failed

Created on 15 Sep 2016  路  6Comments  路  Source: Graylog2/graylog2-server

After Upgrade to 2.1,1 on 2 of my 3 Cluster Server i have a LDAP Authentication failure.
I got an "Invalid credentials, please verify them and retry" on the login screen.
The only server where i can log in with AD Credentials is the one where the LDAP Settings were made.

It works with all my settings in <2.1. The Error occurs since updating to 2.1 and i did not change anything in my config.

Current Behavior

Here is the Error log:

I have a new password_secret, still buggy.

2016-09-15T15:19:07.096+02:00 ERROR [AESTools] Could not decrypt value.
javax.crypto.BadPaddingException: Given final block not properly padded
         at
com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:975)
~[sunjce_provider.jar:1.8.0_101]
         at
com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:833)
~[sunjce_provider.jar:1.8.0_101]
         at
com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
~[sunjce_provider.jar:1.8.0_101]
         at javax.crypto.Cipher.doFinal(Cipher.java:2165) ~[?:1.8.0_71]
         at org.graylog2.security.AESTools.decrypt(AESTools.java:50)
[graylog.jar:?]
         at
org.graylog2.security.ldap.LdapSettingsImpl.getSystemPassword(LdapSettingsImpl.java:137)
[graylog.jar:?]
         at
org.graylog2.security.ldap.LdapSettingsServiceImpl.load(LdapSettingsServiceImpl.java:57)
[graylog.jar:?]
         at
org.graylog2.security.realm.LdapUserAuthenticator.doGetAuthenticationInfo(LdapUserAuthenticator.java:91)
[graylog.jar:?]
         at
org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
[graylog.jar:?]
         at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)
[graylog.jar:?]
         at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
[graylog.jar:?]
         at
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
[graylog.jar:?]
         at
org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
[graylog.jar:?]
         at
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
[graylog.jar:?]
         at
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
[graylog.jar:?]
         at
org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:134)
[graylog.jar:?]
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_101]
         at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_101]
         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_101]
         at java.lang.reflect.Method.invoke(Method.java:498)
~[?:1.8.0_101]
         at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)
[graylog.jar:?]
         at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144)
[graylog.jar:?]
         at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161)
[graylog.jar:?]
         at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205)
[graylog.jar:?]
         at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99)
[graylog.jar:?]
         at
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)
[graylog.jar:?]
         at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)
[graylog.jar:?]
         at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)
[graylog.jar:?]
         at
org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326)
[graylog.jar:?]
         at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
[graylog.jar:?]
         at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
[graylog.jar:?]
         at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
[graylog.jar:?]
         at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
[graylog.jar:?]
         at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
[graylog.jar:?]
         at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)
[graylog.jar:?]
         at
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305)
[graylog.jar:?]
         at
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)
[graylog.jar:?]
         at
org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384)
[graylog.jar:?]
         at
org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224)
[graylog.jar:?]
         at
com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
[graylog.jar:?]
         at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[?:1.8.0_101]
         at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[?:1.8.0_101]
         at java.lang.Thread.run(Thread.java:745) [?:1.8.0_101] 2016-09-15T15:19:07.100+02:00 INFO  [SessionsResource] Invalid username or password for user "xxx"

If i change the LDAP settings on one of my other cluster server i got this error in log:

2016-09-15T15:31:18.911+02:00 ERROR [LdapSettingsServiceImpl] Graylog does not yet support multiple LDAP backends, but 2 configurations were found. This is a bug, ignoring LDAP config.

Your Environment

  • Graylog Version: 2.11
  • Elasticsearch Version: 2.3.5
  • MongoDB Version: latest
  • Operating System: Debian8
ldap
Source
picture neophilipp

Most helpful comment

@neophilipp It looks like your password_secret changed during upgrade. The LDAP settings are encrypted using this and they can't be decrypted on your system.

If you can't restore your old password_secret, delete the contents of the ldap_settings collection in MongoDB, and create the LDAP settings again in the Graylog web interface.

picture joschi on 15 Sep 2016
🎉2

All 6 comments

@neophilipp It looks like your password_secret changed during upgrade. The LDAP settings are encrypted using this and they can't be decrypted on your system.

If you can't restore your old password_secret, delete the contents of the ldap_settings collection in MongoDB, and create the LDAP settings again in the Graylog web interface.

joschi picture joschi on 15 Sep 2016
🎉2

That means? I changed nothing.
Should i generate a new one? The same on each server?

neophilipp picture neophilipp on 15 Sep 2016

@neophilipp I've updated my previous reply.

joschi picture joschi on 15 Sep 2016

@neophilipp We are using GitHub issues for tracking bugs in Graylog itself, but this doesn't look like one. Please post this issue to our public mailing list or join the #graylog channel on freenode IRC.

Thank you!

joschi picture joschi on 15 Sep 2016
👍1

Seems to me with update v2.2.1 the same problem occur. It took me 3 hours to find out and 3 seconds to repair.

mongo
use graylog
db.ldap_settings.remove({})

giorsgeks picture giorsgeks on 23 Feb 2017

@giorsgeks Simply don't change the password_secret configuration setting between updates.

joschi picture joschi on 23 Feb 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eroji picture eroji  路  4Comments
jalogisch picture jalogisch  路  3Comments
ajpen picture ajpen  路  3Comments
bernd picture bernd  路  3Comments
deanilenko picture deanilenko  路  3Comments