Prevent boot if bind DN is set without password (#118366)

LDAP/AD authentication realms can be configured to authenticate through
LDAP via a bind user. For this it's necessary to set a bind DN (via
`bind_dn`) together with a bind password (via `bind_password` or
`secure_bind_password`). Setting a bind DN without a bind password will
cause all LDAP/AD realm authentication to fail, leaving the node
non-operational. This PR adds a bootstrap check to prevent a
misconfigured node from starting. This behavior was deprecated in
#85326.

Closes: ES-9749

Author: n1v0lg

docs/changelog/118366.yaml

@@ -0,0 +1,22 @@
+pr: 118366
+summary: |-
+  Configuring a bind DN in an LDAP or Active Directory (AD) realm without a corresponding bind password
+  will prevent node from starting
+area: Authentication
+type: breaking
+issues: []
+breaking:
+  title: -|
+    Configuring a bind DN in an LDAP or Active Directory (AD) realm without
+    a corresponding bind password will prevent node from starting
+  area: Cluster and node setting
+  details: -|
+    For LDAP or AD authentication realms, setting a bind DN (via the
+    `xpack.security.authc.realms.ldap.*.bind_dn` or `xpack.security.authc.realms.active_directory.*.bind_dn`
+    realm settings) without a bind password is a misconfiguration that may prevent successful authentication
+    to the node. Nodes will fail to start if a bind DN is specified without a password.
+  impact: -|
+    If you have a bind DN configured for an LDAP or AD authentication
+    realm, set a bind password for {ref}/ldap-realm.html#ldap-realm-configuration[LDAP]
+    or {ref}/active-directory-realm.html#ad-realm-configuration[Active Directory].
+    Configuring a bind DN without a password prevents the misconfigured node from starting.

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/PoolingSessionFactory.java

@@ -16,7 +16,6 @@
 
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.action.ActionListener;
-import org.elasticsearch.common.logging.DeprecationCategory;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
@@ -74,7 +73,7 @@ abstract class PoolingSessionFactory extends SessionFactory implements Releasabl
         super(config, sslService, threadPool);
         this.groupResolver = groupResolver;
         this.bindDn = bindDn;
-        this.bindRequest = new AtomicReference<>(buildBindRequest(config.settings(), false));
+        this.bindRequest = new AtomicReference<>(buildBindRequest(config.settings()));
         this.useConnectionPool = config.getSetting(poolingEnabled);
         if (useConnectionPool) {
             this.connectionPool = createConnectionPool(config, serverSet, timeout, logger, bindRequest.get(), healthCheckDNSupplier);
@@ -93,11 +92,9 @@ abstract class PoolingSessionFactory extends SessionFactory implements Releasabl
      * will perform a setting consistency validation and throw {@link SettingsException} in case of violation.
      * Due to legacy reasons and BWC, when {@code reloadRequest} is se to {@code false}, this method will only log a warning message.
      *
-     * @param reloadRequest {@code true} if this method is called during reloading of secure settings,
-     *                      {@code false} if it is called during bootstrapping.
      * @return A new {@link SimpleBindRequest} that contains configured bind DN and password.
      */
-    private SimpleBindRequest buildBindRequest(Settings settings, boolean reloadRequest) {
+    private SimpleBindRequest buildBindRequest(Settings settings) {
         final byte[] bindPassword;
         final Setting<SecureString> legacyPasswordSetting = config.getConcreteSetting(LEGACY_BIND_PASSWORD);
         final Setting<SecureString> securePasswordSetting = config.getConcreteSetting(SECURE_BIND_PASSWORD);
@@ -119,27 +116,13 @@ private SimpleBindRequest buildBindRequest(Settings settings, boolean reloadRequ
             return new SimpleBindRequest();
         } else {
             if (bindPassword == null) {
-                if (reloadRequest) {
-                    throw new SettingsException(
-                        "[{}] is set but no bind password is specified. Without a corresponding bind password, "
-                            + "all {} realm authentication will fail. Specify a bind password via [{}].",
-                        RealmSettings.getFullSettingKey(config, PoolingSessionFactorySettings.BIND_DN),
-                        config.type(),
-                        RealmSettings.getFullSettingKey(config, SECURE_BIND_PASSWORD)
-                    );
-                } else {
-                    deprecationLogger.critical(
-                        DeprecationCategory.SECURITY,
-                        "bind_dn_set_without_password",
-                        "[{}] is set but no bind password is specified. Without a corresponding bind password, "
-                            + "all {} realm authentication will fail. Specify a bind password via [{}] or [{}]. "
-                            + "In the next major release, nodes with incomplete bind credentials will fail to start.",
-                        RealmSettings.getFullSettingKey(config, PoolingSessionFactorySettings.BIND_DN),
-                        config.type(),
-                        RealmSettings.getFullSettingKey(config, SECURE_BIND_PASSWORD),
-                        RealmSettings.getFullSettingKey(config, LEGACY_BIND_PASSWORD)
-                    );
-                }
+                throw new SettingsException(
+                    "[{}] is set but no bind password is specified. Without a corresponding bind password, "
+                        + "all {} realm authentication will fail. Specify a bind password via [{}].",
+                    RealmSettings.getFullSettingKey(config, PoolingSessionFactorySettings.BIND_DN),
+                    config.type(),
+                    RealmSettings.getFullSettingKey(config, SECURE_BIND_PASSWORD)
+                );
             }
             return new SimpleBindRequest(this.bindDn, bindPassword);
         }
@@ -148,7 +131,7 @@ private SimpleBindRequest buildBindRequest(Settings settings, boolean reloadRequ
     @Override
     public void reload(Settings settings) {
         final SimpleBindRequest oldRequest = bindRequest.get();
-        final SimpleBindRequest newRequest = buildBindRequest(settings, true);
+        final SimpleBindRequest newRequest = buildBindRequest(settings);
         if (bindRequestEquals(newRequest, oldRequest) == false) {
             if (bindRequest.compareAndSet(oldRequest, newRequest)) {
                 if (connectionPool != null) {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java

@@ -21,6 +21,7 @@
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.env.TestEnvironment;
@@ -45,7 +46,6 @@
 import java.util.Locale;
 
 import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
-import static org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings.BIND_DN;
 import static org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD;
 import static org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings.SECURE_BIND_PASSWORD;
 import static org.hamcrest.Matchers.containsString;
@@ -199,7 +199,7 @@ public void testUserSearchBaseScopeFailsWithWrongBaseDN() throws Exception {
         assertDeprecationWarnings(config.identifier(), useAttribute, useLegacyBindPassword);
     }
 
-    public void testConstructorLogsErrorIfBindDnSetWithoutPassword() throws Exception {
+    public void testConstructorThrowsIfBindDnSetWithoutPassword() throws Exception {
         String groupSearchBase = "o=sevenSeas";
         String userSearchBase = "cn=William Bush,ou=people,o=sevenSeas";
 
@@ -216,19 +216,18 @@ public void testConstructorLogsErrorIfBindDnSetWithoutPassword() throws Exceptio
             new ThreadContext(globalSettings)
         );
 
-        try (LdapUserSearchSessionFactory ignored = getLdapUserSearchSessionFactory(config, sslService, threadPool)) {
-            assertCriticalWarnings(
-                String.format(
-                    Locale.ROOT,
-                    "[%s] is set but no bind password is specified. Without a corresponding bind password, "
-                        + "all ldap realm authentication will fail. Specify a bind password via [%s] or [%s]. "
-                        + "In the next major release, nodes with incomplete bind credentials will fail to start.",
-                    RealmSettings.getFullSettingKey(config, BIND_DN),
-                    RealmSettings.getFullSettingKey(config, SECURE_BIND_PASSWORD),
-                    RealmSettings.getFullSettingKey(config, LEGACY_BIND_PASSWORD)
-                )
-            );
-        }
+        Exception ex = expectThrows(SettingsException.class, () -> getLdapUserSearchSessionFactory(config, sslService, threadPool));
+        assertEquals(
+            String.format(
+                Locale.ROOT,
+                "[%s] is set but no bind password is specified. Without a corresponding bind password, "
+                    + "all %s realm authentication will fail. Specify a bind password via [%s].",
+                RealmSettings.getFullSettingKey(config, PoolingSessionFactorySettings.BIND_DN),
+                config.type(),
+                RealmSettings.getFullSettingKey(config, SECURE_BIND_PASSWORD)
+            ),
+            ex.getMessage()
+        );
     }
 
     public void testConstructorThrowsIfBothLegacyAndSecureBindPasswordSet() throws Exception {