LDAP authorization

kirubasankars · November 19, 2018, 8:10pm

We having issue with LDAP authorization.

elasticsearch: 6.2.3
readonlyrest: readonlyrest-1.16.29_es6.2.3

Our readonlyrest.yml

readonlyrest:
enable: true
response_if_req_forbidden: Forbidden
audit_collector: true

access_control_rules:

- name: elastic
  auth_key_unix: elastic:xxx
  verbosity: error

- name: debug
  ldap_authentication: "ldap2"
  ldap_authorization:
    name: "ldap2"
    groups: ["search-debug", "search-admin"]
  actions: ["cluster:monitor/main","indices:data/read/*","indices:data/write/*","indices:admin/create", "indices:admin/delete"]

ldaps:

- name: ldap2
  host: "at.local"
  port: 389
  ssl_enabled: false
  ssl_trust_all_certs: true
  bind_dn: "CN=PID,OU=Service Accounts,OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx"
  bind_password: "xxx"
  user_id_attribute: "userPrincipalName"

  search_user_base_DN: "DC=xxx,DC=xxx"
  search_groups_base_DN: "DC=xxx,DC=xxx"

Access log

[2018-11-19T19:44:37,769][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [PIDCPDEBUGT@at.Local] with LDAP [ldap2]
[2018-11-19T19:44:38,029][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.AuthenticationLdapClientLoggingDecorator] User [PIDCPDEBUGT@at.Local]  authenticated by LDAP [ldap2]
[2018-11-19T19:44:38,029][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.AuthenticationLdapClientLoggingDecorator] Trying to fetch user with identifier [PIDCPDEBUGT@at.Local] from LDAP [ldap2]
[2018-11-19T19:44:38,108][DEBUG]`Preformatted text`[tech.beshu.ror.acl.definitions.ldaps.logging.AuthenticationLdapClientLoggingDecorator] User with identifier [PIDCPDEBUGT@at.Local] found [dn = CN=PIDCPDEBUGT,OU=ApplicationIDs,DC=at,DC=local]
[2018-11-19T19:44:38,109][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.GroupsProviderLdapClientLoggingDecorator] Trying to fetch user [id=PIDCPDEBUGT@at.Local, dnCN=PIDCPDEBUGT,OU=ApplicationIDs,DC=at,DC=local] groups from LDAP [ldap2]
[2018-11-19T19:44:38,109][DEBUG][tech.beshu.ror.acl.definitions.ldaps.unboundid.UnboundidGroupsProviderLdapClient] LDAP search string: (&(cn=*)(uniqueMember=CN=PIDCPDEBUGT,OU=ApplicationIDs,DC=at,DC=local))  |  groupNameAttr: cn
[2018-11-19T19:44:38,277][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.GroupsProviderLdapClientLoggingDecorator] LDAP [ldap2] returned for user [PIDCPDEBUGT@at.Local] following groups: []
[2018-11-19T19:44:38,279][DEBUG][tech.beshu.ror.acl.blocks.Block] ^[[33m[admin] the request matches no rules in this block: { ID:632363033-1969213815#110, TYP:MainRequest, CGR:N/A, USR:PIDDEBUGT@at.Local, BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.94.156.170, DA:10.94.156.142, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9, Authorization=Basic BASE64String, Cache-Control=max-age=0, content-length=0, DNT=1, Host=internal-es-test-learth1-east-alb-233869344.us-east-1.elb.amazonaws.com, Upgrade-Insecure-Requests=1, User-Agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36, X-Amzn-Trace-Id=Root=1-5bf312a5-72f28e29807fe88a0d578121, X-Forwarded-For=172.16.147.166, X-Forwarded-Port=80, X-Forwarded-Proto=http}, HIS:[elastic->[auth_key_unix->false]], [kibana->[auth_key_unix->false]], [admin->[ldap_authorization->false, ldap_authentication->true, actions->true]] }^[[0m
[2018-11-19T19:44:38,282][INFO ][tech.beshu.ror.acl.ACL   ] ^[[35mFORBIDDEN by default req={ ID:632363033-1969213815#110, TYP:MainRequest, CGR:N/A, USR:PIDCPDEBUGT@at.Local, BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.94.156.170, DA:10.94.156.142, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9, Authorization=Basic UElEQ1BERUJVR1RAVmVyaXNrVC5Mb2NhbDp0cjVwUmFUdQ==, Cache-Control=max-age=0, content-length=0, DNT=1, Host=internal-es-test-learth1-east-alb-233869344.us-east-1.elb.amazonaws.com, Upgrade-Insecure-Requests=1, User-Agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36, X-Amzn-Trace-Id=Root=1-5bf312a5-72f28e29807fe88a0d578121, X-Forwarded-For=172.16.147.166, X-Forwarded-Port=80, X-Forwarded-Proto=http}, HIS:[elastic->[auth_key_unix->false]], [kibana->[auth_key_unix->false]], [admin->[ldap_authorization->false, ldap_authentication->true, actions->true]] } ^[[0m

Getting ldap_authorization->false
and LDAP [ldap2] returned for user [PIDCPDEBUGT@at.Local] following groups:

Groups are empty.

Thank you for your help and appropriated.

sscarduzio · November 20, 2018, 6:57am

Hello @kirubasankars,

Looks like a configuration problem on how the LDAP connector looks for groups. Can’t really help you in a super precise way about this because every LDAP server has unique configuration, but I can tell you where to look.

Please have a scan at the other LDAP settings we have in the documentation. I would focus on:

search_groups_base_DN
unique_member_attribute
group_name_attribute
group_search_filter

kirubasankars · November 20, 2018, 3:21pm

Thanks. the following worked for me,

 unique_member_attribute: "member"
 group_search_filter: "(objectClass=group)(cn=search*)"
 group_name_attribute: "cn"

ld57 · November 20, 2018, 3:31pm

interesting.

on my side I use

      search_user_base_DN: "DC=xxx,DC=xxx,DC=xxx"
      user_id_attribute: "SamAccountName"
      search_groups_base_DN: "OU=Rights_Access_Groups,OU=ELK,OU=Groups,DC=xxx,DC=xxx,DC=xxx"
      unique_member_attribute: "member"

user must belong to domain, and be member of a group which is stored in OU “rights_access_groups”

it is another approach