LDAP based user authentication

praveenmak · August 20, 2020, 5:42pm

Hello folks,

I am using a Enterprise version 1.19.5. I see the LDAP auth in ROR misses out if usernames doesn’t match case.
Can we make users match without case (make it case insensitive) ?

for ex.

username: John123
groups: [ “admins” ]
ldap_authentication:
name: ldap1
cache_ttl_in_sec: 600

And if user logs in as “john123” ROR fails.

sscarduzio · August 21, 2020, 7:16am

Sounds like a Windows vs Unix philosophical issue
We could create a flag in the configuration about this. But because the majority of the LDAP servers are actually Active Directory servers, it would make sense to make case insensitive the default?

WDYT @coutoPL

coutoPL · August 21, 2020, 1:46pm

We could create a flag, but this is not a good idea to make it case insensitive by default.

It breaks the current contract and we could potentially change behaviour of existing configurations after upgrade - for me it could be a potential security hole.

sscarduzio · August 22, 2020, 8:52am

Elastic engineers have a good point about this, they were basically willing to introduce string transformations for usernames BEFORE they’re sent to LDAP authentication. I.e. toUppercase/toLowercase/capitalized.

Which makes sense, because the case sensitivity in authentication phase is a trait of the LDAP server, rather than our connector. So the best we can do is normalize the casing of the username before serving to the server.

@praveenmak On the other hand, how about configuring the LDAP server to accept case insensitive user names? Should be possible.

github.com/elastic/elasticsearch

Username letter case for role mapping

opened 10:27AM - 16 Oct 19 UTC

albertzaharovits

>bug help wanted :Security/Authentication Team:Security

Role mapping IS letter case dependent if the rule to map roles looks at the `use…rname` field. If the rule looks at the `dn` or `groups` fields, then it IS NOT letter case dependent. What this is contingent upon is the datatype of the field (`DistinguishedName` for `dn` and `groups`, and `String` for `username`). Most of the time this works flawlessly, but in the case of `LDAP` and `AD` realms, the `username`, although of type `String`, is used as part of a DN during a bind operation, during authentication. In this situation the letter casing of the `username` is not important during authentication but it is still relevant during role mapping. Given that the `username`, of type `String`, is letter case agnostic for certain realms during authentication, should the role mapping process also be agnostic of letter cases when dealing with such users in such realms? I think it should (hence labeling it a bug), but first I think we must make realms express if they account or not for username letter casing.

praveenmak · October 8, 2020, 7:23pm

@sscarduzio sorry I totally missed to read the question I posted.

No, LDAP servers are handled by our company. I have no control on that.

sscarduzio · October 8, 2020, 9:24pm

@praveenmak we cannot make LDAP user names case insensitive (only the LDAP server can, but you have no control over it) So we could only introduce a flag to take the username, and apply a transformation to it: for example toUpper, toLower, capitalize.

Which one is your LDAP server accepting?

praveenmak · October 9, 2020, 4:17pm

Actually LDAP server is accepting in any form (case , mixed case etc).

The issue is at the ROR level. If I have a config as John123 and user tries to login to Kibana as john123. ROR fails not the LDAP server.

Let me know if I am understanding it wrong.

sscarduzio · October 9, 2020, 6:06pm

OK now I understand this better! So because case sensitivity is at discretion of the authentication rule (auth_key_, or ldap_auth, etc) the local groups engine of ROR should let the usernames match in an equally liberal way, ignoring the case. This is something that ROR could accommodate, and it would remove some WTF moments while debugging ACLs involving local groups and case-insensitive external authentication systems.

@coutoPL WDYT?

coutoPL · October 10, 2020, 7:02pm

for any auth rule which checks username at ROR’s level, we can introduce such settings (+ global one). But default will stay as it is now.

sscarduzio · October 10, 2020, 7:08pm

OK let’s put it in a Jira ticket, so we will detail the feature design and add it to backlog.

praveenmak · October 20, 2020, 5:37pm

Hi Simone,

Should I create a JIRA ticket?

-Thanks

sscarduzio · October 22, 2020, 8:02am

Hi @praveenmak, we added this to our internal Jira, but the priority is low because we are prioritising Enterprise customers support and roadmap before free users’ features.

Do you have an Enterprise subscription?

praveenmak · October 22, 2020, 9:24pm

Yes, we use the enterprise ROR plugin. The email is itam@lexisnexis.com

sscarduzio · October 23, 2020, 5:08pm

OK you should have informed us about your subscription! Will move this to next sprint.

coutoPL · February 18, 2021, 8:07pm

We’ve implemented a feature (readonlyrest-docs/elasticsearch.md at develop · beshu-tech/readonlyrest-docs · GitHub) which should solve your problem. It’s not released yet, but if you with and if you send me a ES version which you currently use, I’ll send you a pre-build to test.