We having issue with LDAP authorization.
elasticsearch: 6.2.3
readonlyrest: readonlyrest-1.16.29_es6.2.3
Our readonlyrest.yml
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden
audit_collector: trueaccess_control_rules: - name: elastic auth_key_unix: elastic:xxx verbosity: error - name: debug ldap_authentication: "ldap2" ldap_authorization: name: "ldap2" groups: ["search-debug", "search-admin"] actions: ["cluster:monitor/main","indices:data/read/*","indices:data/write/*","indices:admin/create", "indices:admin/delete"] ldaps: - name: ldap2 host: "at.local" port: 389 ssl_enabled: false ssl_trust_all_certs: true bind_dn: "CN=PID,OU=Service Accounts,OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx" bind_password: "xxx" user_id_attribute: "userPrincipalName" search_user_base_DN: "DC=xxx,DC=xxx" search_groups_base_DN: "DC=xxx,DC=xxx"
Access log
[2018-11-19T19:44:37,769][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [PIDCPDEBUGT@at.Local] with LDAP [ldap2] [2018-11-19T19:44:38,029][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.AuthenticationLdapClientLoggingDecorator] User [PIDCPDEBUGT@at.Local] authenticated by LDAP [ldap2] [2018-11-19T19:44:38,029][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.AuthenticationLdapClientLoggingDecorator] Trying to fetch user with identifier [PIDCPDEBUGT@at.Local] from LDAP [ldap2] [2018-11-19T19:44:38,108][DEBUG]`Preformatted text`[tech.beshu.ror.acl.definitions.ldaps.logging.AuthenticationLdapClientLoggingDecorator] User with identifier [PIDCPDEBUGT@at.Local] found [dn = CN=PIDCPDEBUGT,OU=ApplicationIDs,DC=at,DC=local] [2018-11-19T19:44:38,109][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.GroupsProviderLdapClientLoggingDecorator] Trying to fetch user [id=PIDCPDEBUGT@at.Local, dnCN=PIDCPDEBUGT,OU=ApplicationIDs,DC=at,DC=local] groups from LDAP [ldap2] [2018-11-19T19:44:38,109][DEBUG][tech.beshu.ror.acl.definitions.ldaps.unboundid.UnboundidGroupsProviderLdapClient] LDAP search string: (&(cn=*)(uniqueMember=CN=PIDCPDEBUGT,OU=ApplicationIDs,DC=at,DC=local)) | groupNameAttr: cn [2018-11-19T19:44:38,277][DEBUG][tech.beshu.ror.acl.definitions.ldaps.logging.GroupsProviderLdapClientLoggingDecorator] LDAP [ldap2] returned for user [PIDCPDEBUGT@at.Local] following groups: [] [2018-11-19T19:44:38,279][DEBUG][tech.beshu.ror.acl.blocks.Block] ^[[33m[admin] the request matches no rules in this block: { ID:632363033-1969213815#110, TYP:MainRequest, CGR:N/A, USR:PIDDEBUGT@at.Local, BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.94.156.170, DA:10.94.156.142, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9, Authorization=Basic BASE64String, Cache-Control=max-age=0, content-length=0, DNT=1, Host=internal-es-test-learth1-east-alb-233869344.us-east-1.elb.amazonaws.com, Upgrade-Insecure-Requests=1, User-Agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36, X-Amzn-Trace-Id=Root=1-5bf312a5-72f28e29807fe88a0d578121, X-Forwarded-For=172.16.147.166, X-Forwarded-Port=80, X-Forwarded-Proto=http}, HIS:[elastic->[auth_key_unix->false]], [kibana->[auth_key_unix->false]], [admin->[ldap_authorization->false, ldap_authentication->true, actions->true]] }^[[0m [2018-11-19T19:44:38,282][INFO ][tech.beshu.ror.acl.ACL ] ^[[35mFORBIDDEN by default req={ ID:632363033-1969213815#110, TYP:MainRequest, CGR:N/A, USR:PIDCPDEBUGT@at.Local, BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.94.156.170, DA:10.94.156.142, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9, Authorization=Basic UElEQ1BERUJVR1RAVmVyaXNrVC5Mb2NhbDp0cjVwUmFUdQ==, Cache-Control=max-age=0, content-length=0, DNT=1, Host=internal-es-test-learth1-east-alb-233869344.us-east-1.elb.amazonaws.com, Upgrade-Insecure-Requests=1, User-Agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36, X-Amzn-Trace-Id=Root=1-5bf312a5-72f28e29807fe88a0d578121, X-Forwarded-For=172.16.147.166, X-Forwarded-Port=80, X-Forwarded-Proto=http}, HIS:[elastic->[auth_key_unix->false]], [kibana->[auth_key_unix->false]], [admin->[ldap_authorization->false, ldap_authentication->true, actions->true]] } ^[[0m
Getting ldap_authorization->false
and LDAP [ldap2] returned for user [PIDCPDEBUGT@at.Local] following groups:
Groups are empty.
Thank you for your help and appropriated.