LDAP Auth: After change user password not authorized

#1

Hi guys,

We are using ES and Kibana 7.4.2 with RoR plugins [1.19.1 for elastic] and [1.19.3 for kibana], with confiured LDAP connector:
<…>
- name: “LDAP Primary Secure”
host: “<host.domain>”
port: 636
ssl_enabled: true
ssl_trust_all_certs: true
bind_dn: “<bind_dn path>”
bind_password: “<bind_dn pass>”
search_user_base_DN: “OU=Accounts,DC=domain,DC=com”
user_id_attribute: “sAMAccountName”
search_groups_base_DN: “”
unique_member_attribute: “member”
connection_pool_size: 80
connection_timeout_in_sec: 20
request_timeout_in_sec: 15
cache_ttl_in_sec: 80
group_name_attribute: “cn”

The issue is - when user changing password, he cannot login to kibana, unless he delete cookies in browser. I believe it’s not the issue with the connector itself, it should be more related with kibana plugin. Can you please provide some advise on this issue?

#2

Hi Damir,

Thanks for reporting this.

If you are a Enterprise user, please send me a direct message and I will flag your user name so your support request gets the right priority.

In the meantime, can you detail a bit more the use case? i.e.

  1. log in Kibana with password1
  2. change LDAP password to password2
  3. logout from Kibana
  4. Attempt to login again using password2 (what error message do you see in the browser, or in Elasticsearch log?)
  5. Attempt to login again using password1 (does it succeed?)
#3

Hi Simone,

I’m sorry for delay, here is the message in browser after mentioned actions:
{“statusCode”:400,“error”:“Bad Request”,“message”:"[undefined] Forbidden., with { due_to={ 0=“OPERATION_NOT_ALLOWED” } } :: {“path”:"/.kibana/_search",“query”:{“size”:1000,“from”:0,“rest_total_hits_as_int”:true},“body”:"{\“seq_no_primary_term\”:true,\“query\”:{\“bool\”:{\“filter\”:[{\“bool\”:{\“should\”:[{\“bool\”:{\“must\”:[{\“term\”:{\“type\”:\“space\”}}],\“must_not\”:[{\“exists\”:{\“field\”:\“namespace\”}}]}}],\“minimum_should_match\”:1}}]}},\“sort\”:[{\“space.name.keyword\”:{\“unmapped_type\”:\“keyword\”}}]}",“statusCode”:401,“response”:"{\“error\”:{\“root_cause\”:[{\“reason\”:\“Forbidden. \”,\“due_to\”:[\“OPERATION_NOT_ALLOWED\”]}],\“reason\”:\“Forbidden.\”,\“due_to\”:[\“OPERATION_NOT_ALLOWED\”],\“status\”:401}}",“wwwAuthenticateDirective”:“Basic”}"}

And the login is possible only after clear the cookies.

#4

OK now we delete the ror cookie every time someone presses “submit”, so we go to POST /login with a clean slate. Will hand you the build privately.

#5

Good day Simone!

Recently we have update our RoR version to 1.26.1 and it seems this bug is still present - after changing password users still cannot authentiate.

# /usr/share/kibana/bin/kibana-plugin --allow-root list
   [email protected]
# /usr/share/elasticsearch/bin/elasticsearch-plugin list -v
  Plugins directory: /usr/share/elasticsearch/plugins
  readonlyrest
  - Plugin information:
  Name: readonlyrest
  Description: Safely expose Elasticsearch REST API
  Version: 1.26.1
  Elasticsearch Version: 7.4.2
  Java Version: 1.8
  Native Controller: false
  Extended Plugins: []
   * Classname: tech.beshu.ror.es.ReadonlyRestPlugin
#6

Hi @nvidia,

OK now I actually reproduced it, and made this better.
We cannot really delete the cookie and send people back to /login every time they do something they’re not allowed to. Otherwise if you type something wrong in dev tools, or click a button that does something you are not allowed to, you’re immediately booted out.

I made so that when your password has changed, and you keep on clicking the UI, the data doesn’t show and all your page is blank. When you click the logout button (or navigate to it), it will actually logout correctly and bring you to /login once again.

Please download ROR PRO or Enterprise using the devops friendly API, specifying pluginVersion=1.27.2-pre1

#7

@nvidia any news about this one? Did you test the fix?