LDAP Authentication troubles with 6.0.0 Readonlyrest plugin

aduchet · December 11, 2017, 5:24pm

Hello,

We are trying to install and configure the 6.0.0 version of readonlyrest plugin on a ELS (6.0.0 version too).

We meet weird troubles with LDAP authentication.

We succeed to install this plugin but we meet ALLOWED/FORBIDDEN authentications for the same users.

It’s completely moody !

This is an example of the logs :

[2017-12-11T15:58:07,623][INFO ][t.b.r.a.ACL ] ESC[35mFORBIDDEN by default req={ ID:1409535857-1422354124#6, TYP:ClusterStateRequest, CGR:N/A, USR:user_ldap(?), BRS:true, ACT:cluster:monitor/state, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cat/indices?format=json, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Acces IP flume->[hosts->false]], [Accept index 1 and Kibana for user1->[auth_key->false]], [Accept local user (admin)->[groups->false]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [fscrawler writer->[auth_key->false]], [test DDE->[auth_key->false]], [Kibana->[auth_key->false]], [elastalerts secu->[auth_key_sha256->false]], [Acces equipe bigdata->[ldap_authentication->false]] } ESC[0m

[2017-12-11T15:58:07,623][INFO ][t.b.r.a.ACL ] ESC[35mFORBIDDEN by default req={ ID:1426536812-755106832#8, TYP:ClusterStateRequest, CGR:N/A, USR:user_ldap(?), BRS:true, ACT:cluster:monitor/state, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cat/nodes?format=json, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Acces equipe bigdata->[ldap_authentication->false]], [Kibana->[auth_key->false]], [Acces IP flume->[hosts->false]], [test DDE->[auth_key->false]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [Accept index 1 and Kibana for user1->[auth_key->false]], [elastalerts secu->[auth_key_sha256->false]], [fscrawler writer->[auth_key->false]], [Accept local user (admin)->[groups->false]] } ESC[0m

[2017-12-11T15:58:07,628][INFO ][t.b.r.a.ACL ] ESC[36mALLOWED by { name: ‘Acces equipe bigdata’, policy: ALLOW} req={ ID:1908801730-857820634#7, TYP:ClusterHealthRequest, CGR:N/A, USR:user_ldap, BRS:true, ACT:cluster:monitor/health, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cluster/health, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Acces equipe bigdata->[ldap_authorization->true]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [test DDE->[auth_key->false]] } ESC[0m

[2017-12-11T15:58:12,489][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:12,491][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:12,494][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:12,498][INFO ][t.b.r.a.ACL ] ESC[35mFORBIDDEN by default req={ ID:1768070099-252624602#12, TYP:ClusterStateRequest, CGR:N/A, USR:user_ldap(?), BRS:true, ACT:cluster:monitor/state, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cat/nodes?format=json, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Acces IP flume->[hosts->false]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [Accept local user (admin)->[groups->false]], [Kibana->[auth_key->false]], [fscrawler writer->[auth_key->false]], [Accept index 1 and Kibana for user1->[auth_key->false]], [elastalerts secu->[auth_key_sha256->false]], [test DDE->[auth_key->false]], [Acces equipe bigdata->[ldap_authentication->false]] } ESC[0m

[2017-12-11T15:58:12,499][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:12,501][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:12,508][INFO ][t.b.r.a.ACL ] ESC[35mFORBIDDEN by default req={ ID:314495289-920401601#14, TYP:MainRequest, CGR:N/A, USR:user_ldap(?), BRS:true, ACT:cluster:monitor/main, OA:10.1.1.1, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Kibana->[auth_key->false]], [Accept index 1 and Kibana for user1->[auth_key->false]], [Accept local user (admin)->[groups->false]], [Acces IP flume->[hosts->false]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [Acces equipe bigdata->[ldap_authentication->false]], [fscrawler writer->[auth_key->false]], [test DDE->[auth_key->false]], [elastalerts secu->[auth_key_sha256->false]] } ESC[0m

[2017-12-11T15:58:12,509][INFO ][t.b.r.a.ACL ] ESC[35mFORBIDDEN by default req={ ID:342628436-862863933#15, TYP:ClusterHealthRequest, CGR:N/A, USR:user_ldap(?), BRS:true, ACT:cluster:monitor/health, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cluster/health, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Accept index 1 and Kibana for user1->[auth_key->false]], [elastalerts secu->[auth_key_sha256->false]], [Kibana->[auth_key->false]], [Acces IP flume->[hosts->false]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [fscrawler writer->[auth_key->false]], [Accept local user (admin)->[groups->false]], [test DDE->[auth_key->false]], [Acces equipe bigdata->[ldap_authentication->false]] } ESC[0m

[2017-12-11T15:58:12,514][INFO ][t.b.r.a.ACL ] ESC[36mALLOWED by { name: ‘Acces equipe bigdata’, policy: ALLOW} req={ ID:1933779412-1918882715#13, TYP:ClusterStateRequest, CGR:N/A, USR:user_ldap, BRS:true, ACT:cluster:monitor/state, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cat/indices?format=json, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [Acces equipe bigdata->[ldap_authorization->true]], [test DDE->[auth_key->false]] } ESC[0m

[2017-12-11T15:58:17,483][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:17,484][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:17,486][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:17,487][ERROR][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user operation failed

[2017-12-11T15:58:17,492][INFO ][t.b.r.a.ACL ] ESC[35mFORBIDDEN by default req={ ID:1620440847-634382444#23, TYP:ClusterHealthRequest, CGR:N/A, USR:user_ldap(?), BRS:true, ACT:cluster:monitor/health, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cluster/health, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Kibana->[auth_key->false]], [test DDE->[auth_key->false]], [fscrawler writer->[auth_key->false]], [Accept local user (admin)->[groups->false]], [Acces equipe bigdata->[ldap_authentication->false]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [Accept index 1 and Kibana for user1->[auth_key->false]], [elastalerts secu->[auth_key_sha256->false]], [Acces IP flume->[hosts->false]] } ESC[0m

[2017-12-11T15:58:17,504][INFO ][t.b.r.a.ACL ] ESC[36mALLOWED by { name: ‘Acces equipe bigdata’, policy: ALLOW} req={ ID:1754355282-1181427481#22, TYP:MainRequest, CGR:N/A, USR:user_ldap, BRS:true, ACT:cluster:monitor/main, OA:10.1.1.1, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[Acces equipe bigdata->[ldap_authorization->true]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [test DDE->[auth_key->false]] } ESC[0m

[2017-12-11T15:58:17,505][INFO ][t.b.r.a.ACL ] ESC[35mFORBIDDEN by default req={ ID:456936355-500096492#20, TYP:ClusterStateRequest, CGR:N/A, USR:user_ldap(?), BRS:true, ACT:cluster:monitor/state, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cat/nodes?format=json, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[elastalerts secu->[auth_key_sha256->false]], [Acces equipe bigdata->[ldap_authentication->false]], [Acces IP flume->[hosts->false]], [Kibana->[auth_key->false]], [Accept local user (admin)->[groups->false]], [fscrawler writer->[auth_key->false]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]], [Accept index 1 and Kibana for user1->[auth_key->false]], [test DDE->[auth_key->false]] } ESC[0m

[2017-12-11T15:58:17,511][INFO ][t.b.r.a.ACL ] ESC[36mALLOWED by { name: ‘Acces equipe bigdata’, policy: ALLOW} req={ ID:869556117-982046552#21, TYP:ClusterStateRequest, CGR:N/A, USR:user_ldap, BRS:true, ACT:cluster:monitor/state, OA:10.1.1.1, IDX:, MET:GET, PTH:/_cat/indices?format=json, CNT:<N/A>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[test DDE->[auth_key->false]], [Acces equipe bigdata->[ldap_authorization->true]], [Acces equipe secu GG_A_ELASTIC_SECU_FLAT->[ldap_authentication->false]] } ESC[0m

With the same server configuration, the same readonlyrest.yml file which connect on the same ldap servers, BUT, on a ELS 5 and 5.4 readonlyrest plugin, we don’t have any trouble.

Do you have any idea ?

Regards,

Audric