Help to configure authentication through AD nested groups


#1

Hi,

I need some help to configure authentication through AD nested groups.

There are two groups for this test:

  • GG_A_READONLYREST_TEST: This group contains TEAM_EXPLOITATION_TEST only
  • TEAM_EXPLOITATION_TEST: This group contains users only

Why using GG_A_READONLYREST_TEST? We have an AD constraint which imply to locate all our groups where GG_A_READONLYREST_TEST is located. Furthermore we want to be able to automatize access rules with templatized names.

If the configuration is set to request the group TEAM_EXPLOITATION_TEST it works fine. If we set configuration to match GG_A_READONLYREST_TEST, the user cannot login:

Ldaps configuration to make TEAM_EXPLOITATION_TEST work:

    ldaps:

    - name: ldap1
      host: "XXXXXXX"
      port: 636                                                 # optional, default 389
      ssl_enabled: true                                         # optional, default true
      ssl_trust_all_certs: true                                 # optional, default false
      bind_dn: "CN=XXX,OU=Service_Accounts,OU=SomeUO,DC=firm,DC=com"                     # optional, skip for anonymous bind
      bind_password: "XXXX"                                 # optional, skip for anonymous bind

      search_user_base_DN: "OU=OtherUO,DC=firm,DC=com"
      user_id_attribute: "sAMAccountName"                       # optional, default "uid"
      search_groups_base_DN: "OU=Groups_team,OU=SomeUO,DC=firm,DC=com"
      #groups_from_user: true
      #groups_from_user_attribute: "memberOf"
      #group_search_filter: "(objectClass=group)"
      unique_member_attribute: "member"                         # optional, default "uniqueMember"

      connection_pool_size: 10                                  # optional, default 30
      connection_timeout_in_sec: 10                             # optional, default 1
      request_timeout_in_sec: 10                                # optional, default 1
      cache_ttl_in_sec: 60                                      # optional, default 0 - cache disabled


access_control_rule:

    - name: Acces_nested
      #nested group access test
      type: allow
      ldap_auth:
        name: "ldap1"
        groups: ["TEAM_EXPLOITATION_TEST"]

GG_A_READONLYREST_TEST is located in OU=Groups_appli,OU=SomeUO,DC=firm,DC=com
TEAM_EXPLOITATION_TEST is located in OU=Groups_team,OU=SomeUO,DC=firm,DC=com

I tried to set ldaps configuration to request on OU=Groups_appli,OU=SomeUO,DC=firm,DC=com and configure the access_control_rule to match with GG_A_READONLYREST_TEST as follow:


    - name: Acces_nested
        #group access test
        type: allow
        ldap_auth:
          name: "ldap1"
          groups: ["GG_A_READONLYREST_TEST"]
		  
    ldaps:

    - name: ldap1
      host: "XXXXXXX"
      port: 636                                                 # optional, default 389
      ssl_enabled: true                                         # optional, default true
      ssl_trust_all_certs: true                                 # optional, default false
      bind_dn: "CN=XXX,OU=Service_Accounts,OU=SomeUO,DC=firm,DC=com"                     # optional, skip for anonymous bind
      bind_password: "XXXX"                                 # optional, skip for anonymous bind

      search_user_base_DN: "OU=OtherUO,DC=firm,DC=com"
      user_id_attribute: "sAMAccountName"                       # optional, default "uid"
      search_groups_base_DN: "OU=Groups_appli,OU=SomeUO,DC=firm,DC=com"
      #groups_from_user: true
      #groups_from_user_attribute: "memberOf"
      #group_search_filter: "(objectClass=group)"
      unique_member_attribute: "member"                         # optional, default "uniqueMember"

      connection_pool_size: 10                                  # optional, default 30
      connection_timeout_in_sec: 10                             # optional, default 1
      request_timeout_in_sec: 10                                # optional, default 1
      cache_ttl_in_sec: 60                                      # optional, default 0 - cache disabled

There are three parameters which are commented. We tried to play with them but could not figure out the way to make the authentication to Kibana work

RoR EnterpriseVersion:

kibana-plugin list
[email protected]
Kibana version: 6.4.3
Elasticsearch version: 6.4.3

RoR Version (ES side):
Name: readonlyrest
Description: Safely expose Elasticsearch REST API
Version: 1.16.29
Elasticsearch Version: 6.4.3
Java Version: 1.8
Native Controller: false
Extended Plugins: []
Classname: tech.beshu.ror.es.ReadonlyRestPlugin

I could not find relevant logs to determine the cause of the issue neither on kibana side nor on ES side (logs and also RoR index directly)

Can someone please help to configure ldap connection the proper way?

Thanks in advance


(Thierno Ib Barry) #2

Maybe this issue will help you https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/issues/234#issuecomment-344595274


#3

Hi Barry,

Sure it helps !

Thanks a lot, did not know about LDAP matching chain rule.