Does ROR supports kerberos authentication?


#1

Hello ,

the question in the title ,
in the last few days we see that we have some issues with the ldap authentication . (we get time out after 10 secs)
our linux admin suggested to work with kerberos (which saves tickets on the server, instead of querying our ldap each time we connect to the elastic cluster) .
does ROR supports working with kerberos ?

Thanks.


(Simone Scarduzio) #2

Hi @sdba2, no we don’t support Kerberos natively within ROR plugin. If I were you I’d rather tweak the LDAP connector that is already configured and working. For example:

  • to simulate the ticket saving in Kerberos you could enable the credentials cache (valid and invalid credentials will be hashed and saved in memory into a LRU cache).

  • To circumvent the 10 seconds timeout, you can modify the LDAP server settings

ldaps:
    
    - name: ldap1
      host: "ldap1.example.com"
    ....
      connection_timeout_in_sec: 120                                 # optional, default 1
      request_timeout_in_sec: 120                                  # optional, default 1
      cache_ttl_in_sec: 3600                                          # 1h (default 60 sec)     


(Thierno Ib Barry) #3

Hello @sdba2 LDAP is a good option. You can even achieve member search in nested groups.

But if you’re an entreprise user, I think the best option is to use SAML authentication. This will give you SSO integration. This is probably what you’re trying to achieve with Kerberos.

Another option (if you’re not an Entreprise/Pro user and really need Kerberos) is to use Nginx/Apache as reverse proxy for Kerberos authentication.


#4

this is good to know.
our config file looks like that :
ldaps:

  • name : “ldap_name”
    host : host_address
    port : port_number
    bind_dn : "[email protected]"
    bind_password: “my password”
    bind_user_base_DN: “OU=my tree,DC=my dc,DC=com”
    user_id_attribute: “sAMAccountName”
    search_groups_base_DN: “CN=my CN,DC= my dc,DC=com”
    uniaue_member_attribute: “member”
    connection_pool_size: 20
    connection_timeout_in_sec: 20
    request_timeout_in_sec: 20
    cache_ttl_in_sec: 300

who do I need to change if I want to use the SAML authentication ?

Thanks.


(Thierno Ib Barry) #5

Great. Do you have any SAML endpoints (like ADFS https://www.ispringsolutions.com/articles/ispring-learn-sso-with-microsoft-active-directory-federation-services) ?

If yes, maybe this will help you https://github.com/beshu-tech/readonlyrest-docs/blob/master/kibana.md#saml to configure Kibana et RoR.

If not (and you can’t) please use LDAP