LDAP authentication no groups found or grouplist empty


(Olaf Heydorn) #1

Hi,

my ldap request is working, user is authenticated, but the groups call is empty. Any idea, what I have done wrong?

here is a snipped of the log:

[2017-07-07T13:33:39,848][INFO ][o.e.p.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: d1234 rc: { 
ID:2071009439-281222262, TYP:GetRequest, USR:d1234(?), BRS:false, ACT:indices:data/read/get, 
OA:100.66.1.217, IDX:.kibana, MET:GET, PTH:/.kibana/config/5.4.2, CNT:<OMITTED, LENGTH=0>, 
HDR:authorization,Connection,Content-Length,Host, HIS:[Monsoon (read only, but can create dashboards)->[auth_key-
>false]], [data->[auth_key->false]], [Admin->[auth_key->false]] }
I[2017-07-07T13:33:39,848][DEBUG][o.e.p.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to authenticate 
user [d1234] with LDAP [ldap1]
I[2017-07-07T13:33:39,857][DEBUG][o.e.p.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [d1234]  
authenticated by LDAP [ldap1]
I[2017-07-07T13:33:39,857][DEBUG][o.e.p.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to fetch user with 
identifier [d1234] from LDAP [ldap1]
I[2017-07-07T13:33:39,860][DEBUG][o.e.p.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User with identifier 
[d1234] found [dn = CN=D1234,OU=Identities,DC=ad,DC=testing,DC=cloud,DC=com]
I[2017-07-07T13:33:39,860][DEBUG][o.e.p.r.a.d.l.l.GroupsProviderLdapClientLoggingDecorator] Trying to fetch user 
[id=d1234, dnCN=D1234,OU=Identities,DC=ad,DC=testing,DC=cloud,DC=com] groups from LDAP [ldap1]
I[2017-07-07T13:33:39,862][DEBUG][o.e.p.r.a.d.l.l.GroupsProviderLdapClientLoggingDecorator] LDAP [ldap1] returned 
for user [d1234] following groups: []
I[2017-07-07T13:33:39,862][DEBUG][o.e.p.r.a.b.Block        ] [Accept requests from Monitoring Users] the request 
matches no rules in this block: { ID:2071009439-281222262, TYP:GetRequest, USR:d1234, BRS:false, 
ACT:indices:data/read/get, OA:100.66.1.217, IDX:.kibana, MET:GET, PTH:/.kibana/config/5.4.2, CNT:<OMITTED, 
LENGTH=0>, HDR:authorization,Connection,Content-Length,Host, [Accept requests from Monitoring Users->
[ldap_authorization->false, ldap_authentication->true]] }
I[2017-07-07T13:33:39,862][INFO ][o.e.p.r.a.ACL            ]  no block has matched, forbidding by default: {     
ID:2071009439-281222262, TYP:GetRequest, USR:d1234, BRS:false, ACT:indices:data/read/get, OA:100.66.1.217, 
IDX:.kibana, MET:GET, PTH:/.kibana/config/5.4.2, CNT:<OMITTED, LENGTH=0>, 
HDR:authorization,Connection,Content-Length,Host, HIS: [Accept requests from Monitoring Users->[ 
ldap_authorization->false, ldap_authentication->true]] }

This line looks strange: dnCN=D1234,OU=Identities,DC=ad,DC=testing …

my config:

- name: Accept requests from Monitoring Users
  ldap_authentication: "ldap1"
  ldap_authorization:
    name: "ldap1"
    groups: ["MONITORING_DOMAIN_USERS"]

ldaps:
- name: ldap1
  host: "ldap.testing.cloud.com"
  port: 636
  ssl_enabled: true
  ssl_trust_all_certs: true
  bind_dn: "cn=monitoring,cn=Users,dc=ad,dc=testing,dc=cloud,dc=com
  bind_password: "password"
  search_user_base_DN: "ou=Identities,dc=ad,dc=testing,dc=cloud,dc=com"
  search_groups_base_DN: "OU=ADMIN,OU=OSDomains,OU=CCloud,DC=ad,DC=testing,DC=cloud,DC=com"
  user_id_attribute: "sAMAccountName"
  unique_member_attribute: "memberOf"
  connection_pool_size: 10
  connection_timeout_in_sec: 10
  request_timeout_in_sec: 10
  cache_ttl_in_sec: 60

Any idea anyone?

Thanks a lot and regards,

Olaf


(Ld57) #2

Hi,

Try by replacing
Unique_member_attribute: "memberOf"
By
unique_member_attribute: “member”

It is againt group membership that RoR test authorization, not in the user attribute


(Olaf Heydorn) #3

it worked. Thanks a lot with:

unique_member_attribute: "member"```

(Ld57) #4

Nice. :slight_smile:

keep an eye about releases,