LDAP Configuration Troubleshoot

seancamela · December 26, 2018, 3:46pm

Hi there!

I am trying to configure LDAP Authentication with Active Directory. But I am getting this error at ES:

[2018-12-26T17:43:35,160][INFO ][t.b.r.e.IndexLevelActionFilter] [QUAL-LOGSRV-01] Settings observer refreshing…
[2018-12-26T17:43:35,172][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘::LOGSTASH::’, policy: ALLOW, rules: [auth_key, actions, indices]}
[2018-12-26T17:43:35,172][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘::KIBANA-SRV::’, policy: ALLOW, rules: [auth_key]}
[2018-12-26T17:43:35,172][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘::RO::’, policy: ALLOW, rules: [auth_key, kibana_access, indices, kibana_hide_apps]}
[2018-12-26T17:43:35,172][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘::RW::’, policy: ALLOW, rules: [auth_key, kibana_access, indices, kibana_hide_apps]}
[2018-12-26T17:43:35,172][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘::ADMIN::’, policy: ALLOW, rules: [auth_key, kibana_access]}
[2018-12-26T17:43:35,172][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘admins’, policy: ALLOW, rules: [kibana_access, indices, kibana_hide_apps]}
[2018-12-26T17:43:35,252][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [QUAL-LOGSRV-01] fatal error in thread [Background connect thread for QUALADDS.TESTES.LOCAL/8.5.5.8:389], exiting
java.lang.ExceptionInInitializerError: null
at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:152) ~[?:?]
Caused by: java.security.AccessControlException: access denied (“java.util.PropertyPermission” “*” “read,write”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_172]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_172]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_172]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_172]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_172]
at com.unboundid.util.Debug.(Debug.java:166) ~[?:?]
… 1 more

Here is my readonlyrest.yml configuration:

readonlyrest:
access_control_rules:

- name: "::LOGSTASH::"
  auth_key: logstash:logstash
  actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
  indices: ["demo-csv-*","filebeat-*","logstash*","servico*","winlogbeat-*"]
  
- name: "::KIBANA-SRV::"
  auth_key: kibana:kibana
  
- name: "::RO::"
  auth_key: ro:dev
  kibana_access: ro
  indices: [ ".kibana", ".kibana-devnull", "filebeat-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
  
- name: "::RW::"
  auth_key: rw:dev
  kibana_access: rw
  indices: [".kibana", ".kibana-devnull", "filebeat-*" ,"winlogbeat-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
  
- name: "::ADMIN::"
  auth_key: admin:kibana
  kibana_access: admin
  
- name: admins
  kibana_access: rw
  indices: [".kibana", ".kibana-devnull", "filebeat-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
  
- name: "::RW LDAP::"
  ldap_auth:
    name: "ldap1"
    groups: ["admins"] 
  
users:
- username: scamela
  groups: ["admins"]
  ldap_authentication: "ldap1"

ldaps:
- name: ldap1
  host: "QUALADDS.TESTES.LOCAL"
  port: 389                                                     
  ssl_enabled: false                                            
  ssl_trust_all_certs: true                                     
  bind_dn: "CN=Sean Camela,OU=Users,OU=DSI,DC=TESTES,DC=local"
  bind_password: "P@ssword1"
  search_user_base_DN: "OU=Users,OU=DSI,DC=TESTES,DC=local"
  user_id_attribute: "sAMAccountName"                       
  search_groups_base_DN: "OU=DSI,DC=TESTES,DC=local"
  unique_member_attribute: "member"
  connection_pool_size: 10                        
  connection_timeout_in_sec: 10                   
  request_timeout_in_sec: 10                      
  cache_ttl_in_sec: 60                            
  group_search_filter: "(objectClass=group)(cn=*)"
  group_name_attribute: "cn"

Here is the /usr/share/elasticsearch/plugins/readonlyrest/plugin-security.policy file:

grant {
permission java.security.SecurityPermission “getProperty.ssl.KeyManagerFactory.algorithm”;
permission java.lang.reflect.ReflectPermission “suppressAccessChecks”;
permission java.lang.RuntimePermission “accessDeclaredMembers”;
permission java.lang.RuntimePermission “accessClassInPackage.sun.misc”;
permission java.net.SocketPermission “QUALADDS.TESTES.LOCAL:389”, “accept, connect, resolve”;
permission java.util.PropertyPermission “", “read,write”;
permission java.util.PropertyPermission "”, “read,write”;
permission java.lang.RuntimePermission “getClassLoader”;
permission java.net.SocketPermission “*”, “accept, resolve, connect”;
permission java.io.FilePermission “<< ALL FILES >>”, “read”;
permission java.lang.RuntimePermission “setContextClassLoader”;
};

What can I do to get this working?

Regards

Sean Camela

askids · December 26, 2018, 11:08pm

Did you manually modify your security policy file? This is what I have on my current installation that is also using LDAP.

permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "*", "accept, resolve, connect";

I am also seeing duplicate entries on your permission file. Default policy file already has a an entry for java.net.SocketPermission for *. So I don’t think that you will need to add separate entry again for the LDAP server. I would suggest that you retry it once with the default policy file.

seancamela · December 27, 2018, 7:31am

Yes, I manually modified the security policy file when trying to get this working.

Now the the plugin-security.policy file contains this:

  permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
  permission java.util.PropertyPermission "*", "read,write";
  permission java.net.SocketPermission "*", "accept, resolve, connect";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.io.FilePermission "<< ALL FILES >>", "read";
  permission java.lang.RuntimePermission "setContextClassLoader";
};

But I am still getting error:

[2018-12-27T09:12:25,701][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [QUAL-LOGSRV-01] fatal error in thread [Background connect thread for QUALADDS.TESTES.LOCAL/10.2.27.1:389], exiting
java.lang.ExceptionInInitializerError: null
at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:152) ~[?:?]
Caused by: java.security.AccessControlException: access denied (“java.util.PropertyPermission” “*” “read,write”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_172]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_172]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_172]
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) ~[?:1.8.0_172]
at java.lang.System.getProperties(System.java:630) ~[?:1.8.0_172]
at com.unboundid.util.Debug.(Debug.java:166) ~[?:?]
… 1 more

Woodsmen · December 27, 2018, 6:42pm

Getting the same issue, I’ve narrowed it down in my config as something to do with the groups within the ACL

If you comment out this section it will save, but probably won’t work as expected

sscarduzio · December 28, 2018, 4:52am

@Woodsmen are you sure the error is the same? You seem to have an indentation issue (ldap_auth should be right under “name”)

sscarduzio · December 28, 2018, 4:56am

Why did you need to edit the file? Was a permission missing?

seancamela · December 28, 2018, 8:23am

Finally it is working.

I had to edit the /usr/java/jdk1.8.0_172-amd64/jre/lib/security/java.policy file:

// Standard extensions get all permissions by default

grant {
permission java.util.PropertyPermission “*”, “read,write”; -----> ADDED BY ME
};

grant codeBase “file:${{java.ext.dirs}}/*” {
permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See the API specification of java.lang.Thread.stop() for more
// information.
permission java.lang.RuntimePermission “stopThread”;
    // allows anyone to listen on dynamic ports
    permission java.net.SocketPermission "localhost:0", "listen";
    permission java.net.SocketPermission "10.2.27.1:389", "connect,resolve"; **-----> ADDED BY ME**

    // "standard" properies that can be read by anyone

    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";
};

The /usr/share/elasticsearch/plugins/readonlyrest/plugin-security.policy file contains:

grant {
permission java.security.SecurityPermission “getProperty.ssl.KeyManagerFactory.algorithm”;
permission java.lang.reflect.ReflectPermission “suppressAccessChecks”;
permission java.lang.RuntimePermission “accessDeclaredMembers”;
permission java.lang.RuntimePermission “accessClassInPackage.sun.misc”;
permission java.util.PropertyPermission “*”, “read,write”;
permission java.lang.RuntimePermission “getClassLoader”;
permission java.io.FilePermission “<< ALL FILES >>”, “read”;
permission java.lang.RuntimePermission “setContextClassLoader”;
};

Thanks to all.

Regards

Sean Camela

Woodsmen · December 28, 2018, 3:36pm

no my error was seemingly caused by a version miss match between cluster nodes

Now I am trying to diagnose why ldap logins are not being recognized, which is probably just a configuration issue on my part