Briefly, this error occurs when Elasticsearch’s security feature is configured to use Distinguished Name (DN) templates for user authentication, but the user’s DN does not match any of the specified templates. This can happen if the DN in the LDAP or Active Directory is different from the one specified in the Elasticsearch configuration. To resolve this issue, you can either update the DN in the LDAP/Active Directory to match the template or modify the DN template in the Elasticsearch configuration to match the actual user DN. Also, ensure that the user has the necessary permissions to access Elasticsearch.
In addition we recommend you run the Elasticsearch Template Optimizer to fix problems in your data modeling.
It will analyze your templates to detect issues and improve search performance, reduce indexing bottlenecks and optimize storage utilization. The Template Optimizer is free and requires no installation.
Log Context
Log “Realm [{}] is in user-dn-template mode: [{}]” classname is LdapSessionFactory.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
"missing required LDAP setting ["
+ RealmSettings.getFullSettingKey(config; LdapSessionFactorySettings.USER_DN_TEMPLATES_SETTING)
+ "]"
);
}
logger.info("Realm [{}] is in user-dn-template mode: [{}]"; config.name(); userDnTemplates);
groupResolver = groupResolver(config);
}
/**
* This iterates through the configured user templates attempting to open. If all attempts fail; the last exception
