LDAP authorization error

saa · May 19, 2017, 5:09am

Hi, I have the following problem. When LDAP authorization of a user who has
CN=full user name (username-srv)
an error occurs https://pastebin.com/raw/t5rNYHYG after which authorization is successful (even if the user is not a member of the group)
My config:

http.type: ssl_netty4

readonlyrest:
  enable: true
  response_if_req_forbidden: Forbidden request

ssl:
  enable: true
  keystore_file: "/usr/share/elasticsearch/plugins/readonlyrest/keystore.jks"
  keystore_pass: readonlyrest
  key_pass: Zx123456

access_control_rules:

- name: LDAP Auth
  type: allow
  ldap_auth:
      name: "ldap1"
      groups: ["group1"]
  indices: [".kibana", "winlogbeat-*, "exchange-*"]

- name: kibana-server
  type: allow
  auth_key: kibana:kibana
  verbosity: error
  indices: [".kibana"]

- name: logstash-server
  type: allow
  auth_key: logstash:logstash
  actions: ["cluster:monitor/main","cluster:monitor/health","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
  indices: ["exchange-*"]

- name: winlogbeat-elastic
  type: allow
  auth_key: elastic:changeme
  actions: ["cluster:monitor/main","cluster:monitor/health","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
  indices: ["winlogbeat-*"]

ldaps:

- name: ldap1
  host: "dc.mydomain"
  port: 389
  ssl_enabled: false
  ssl_trust_all_certs: true
  bind_dn: "cn=elastic,ou=service accounts,dc=mydomain"
  bind_password: "yN3Gb9bWGO58uD3P1i"
  search_user_base_DN: "dc=mydomain"
  user_id_attribute: "SamAccountName"
  search_groups_base_DN: "ou=Groups,ou=ACL-Groups,dc=mydomain"
  unique_member_attribute: "member"
  connection_pool_size: 10                                  # optional, default 30
  connection_timeout_in_sec: 10                             # optional, default 1
  request_timeout_in_sec: 10                                # optional, default 1

Need any additional information?

coutoPL · May 19, 2017, 6:39am

it seems to be a problem with CN (parenthesis). Maybe we should escape them. Will write a test and check. Thanks for reporting.

saa · May 22, 2017, 3:59am

Tell me how long it takes?

coutoPL · May 22, 2017, 4:59pm

check out this PR:

saa · May 24, 2017, 7:40am

Hi, I see that your pool request was merged, so how can i get an archive with a plugin for Elasticsearch version 5.3.1 with final build?
ps. I try to configure manually, without docker, I get an error

Caused by: java.lang.IllegalStateException: Could not find a valid Docker environment. Please see logs and check configuration

sscarduzio · May 24, 2017, 10:52am

We will produce a backported version to 5.3.1 once the bigger PR gets merged, and producing backported builds is not a risky pain in the butt anymore.

For now, if you want to test what is in master branch, you can either build it for 5.4.0 yourself with ./gradlew assemble or request a pre-build to me.

sscarduzio · May 31, 2017, 11:56am

a new version has been released, head to the download section:

saa · May 31, 2017, 12:08pm

Thank you!
Can I ask one more question? How realistic is it to implement a recursive search for groups in LDAP? I would like to create a group for the kibana which includes another group, etc.

sscarduzio · May 31, 2017, 12:21pm

@coutoPL is the LDAP expert, I don’t have an estimate on this.

coutoPL · May 31, 2017, 5:51pm

I don’t know how recursive search in LDAP works, but when I understand that, implementation would be a matter of hours

sscarduzio · June 1, 2017, 12:39pm

Adding this for context LDAP search · Issue #234 · sscarduzio/elasticsearch-readonlyrest-plugin · GitHub