LDAP authentication failure

shbhshs · October 15, 2020, 6:54am

I was trying to configure LDAP authentication on elasticsearch 7.9, using ROR plugin, after configuring everything I am getting following error log on making request to get indices

[2020-10-15T12:14:51,744][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [testOrg] FORBIDDEN by default req={ ID:142436850--1022892427#513, TYP:GetSettingsRequest, CGR:N/A, USR:testuser (attempted), BRS:true, KDX:null, ACT:indices:monitor/settings/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Authorization=<OMITTED>, Content-Type=application/json, Host=localhost:9200, User-Agent=curl/7.58.0, content-length=0, HIS:[Require HTTP Basic Auth-> RULES:[ldap_auth->false], RESOLVED:[indices=*]] }

ldap configuration looks something like this

xpack.security.enabled: false
  readonlyrest:
    enable: true

    access_control_rules:
    - name: Require HTTP Basic Auth
      type: allow
      actions: ["*"]
      indices: ["*"]
      ldap_auth:
        name: ldap1
        groups: ["Groups"]


  ldaps:
    - name: ldap1
      host: localhost
      port: 389
      ssl_enabled: false
      ssl_trust_all_certs: true
      search_user_base_DN: "ou=Users,dc=testOrg,dc=com"
      search_groups_base_DN: "ou=Groups,dc=testOrg,dc=com"
      user_id_attribute: "cn"
      unique_member_attribute: "member"

It will be very helpful, if someone could point out what am I doing wrong.

sscarduzio · October 15, 2020, 10:40am

@shbhshs welcome to the forum! The LDAP authentication is not succeeding, to see a more verbose LDAP connector, please put Elasticsearch root logger to debug mode. See our documentation’s troubleshooting guide about how to do it.

shbhshs · October 15, 2020, 12:03pm

@sscarduzio thanks for the reply.
I enabled rootLogger. I am getting following logs

[2020-10-15T17:06:34,778][DEBUG][t.b.r.e.r.c.t.GetSettingsEsRequestContext] [testOrg] [901088103--458660218#109] Discovered indices: *
[2020-10-15T17:06:34,779][DEBUG][t.b.r.a.l.AccessControlLoggingDecorator] [testOrg] checking request: 901088103--458660218#109
[2020-10-15T17:06:34,804][DEBUG][t.b.r.a.b.r.LdapAuthenticationRule] [testOrg] Attempting Login as: testuser rc: 901088103--458660218#109
[2020-10-15T17:06:34,804][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthenticationServiceDecorator] [testOrg] Trying to authenticate user [testuser] with LDAP [ldap1]
[2020-10-15T17:06:34,824][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthenticationServiceDecorator] [testOrg] User [testuser]  authenticated by LDAP [ldap1]
[2020-10-15T17:06:34,826][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthorizationServiceDecorator] [testOrg] Trying to fetch user [id=testuser] groups from LDAP [ldap1]
[2020-10-15T17:06:34,829][DEBUG][t.b.r.a.b.d.l.i.UnboundidLdapAuthorizationService] [testOrg] LDAP search string: (&(cn=*)(member=cn=testuser,ou=Users,dc=testOrg,dc=com)) | groupNameAttr: cn
[2020-10-15T17:06:34,833][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthorizationServiceDecorator] [testOrg] LDAP [ldap1] returned for user [testuser] following groups: [ldapgroup]
[2020-10-15T17:06:34,859][DEBUG][t.b.r.a.b.Block          ] [testOrg] [Require HTTP Basic Auth] the request matches no rules in this block: {  ID:901088103--458660218#109,  TYP:GetSettingsRequest,  CGR:N/A,  USR:testuser (attempted),  BRS:true,  KDX:null,  ACT:indices:monitor/settings/get,  OA:127.0.0.1/32,  XFF:null,  DA:127.0.0.1/32,  IDX:*,  MET:GET,  PTH:/_cat/indices,  CNT:<N/A>,  HDR:Accept=*/*, Authorization=<OMITTED>, Content-Type=application/json, Host=localhost:9200, User-Agent=curl/7.58.0, content-length=0,  HIS:[Require HTTP Basic Auth-> RULES:[ldap_auth->false], RESOLVED:[indices=*]]  } 
[2020-10-15T17:06:34,864][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [testOrg] FORBIDDEN by default req={  ID:901088103--458660218#109,  TYP:GetSettingsRequest,  CGR:N/A,  USR:testuser (attempted),  BRS:true,  KDX:null,  ACT:indices:monitor/settings/get,  OA:127.0.0.1/32,  XFF:null,  DA:127.0.0.1/32,  IDX:*,  MET:GET,  PTH:/_cat/indices,  CNT:<N/A>,  HDR:Accept=*/*, Authorization=Basic dGVzdHVzZXI6dGVzdF9wYXNz, Content-Type=application/json, Host=localhost:9200, User-Agent=curl/7.58.0, content-length=0,  HIS:[Require HTTP Basic Auth-> RULES:[ldap_auth->false], RESOLVED:[indices=*]]  }

Second last line of above log says, which I think is an issue, if you could provide more clarity on that.

the request matches no rules in this block

shbhshs · October 15, 2020, 12:32pm

Request I made

curl -XGET -u testuser:test_pass -H “Content-Type: application/json” ‘http://localhost:9200/_cat/indices?pretty’

sscarduzio · October 15, 2020, 1:09pm

You configured the wrong group name:

because apparently the user “testuser” you are using belongs to a group called “ldapgroup”, not “Groups”.

shbhshs · October 16, 2020, 10:03am

@sscarduzio thanks for pointing out, it resolved the issue.