LDAP connectivity Issue and rules issues


(Ajit) #1
Hi @sscarduzio,
We have installed elasticsearch and kibana 6.2.4 and plugins for both. Now .kibana index has created and we are not getting any issue related to index. Now we are very close to success. Please provide your support.
We are getting two issues now

1. [Technology] the request matches no rules in this block: { ID:1293931784-1725560941#157, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.123, DA:172.21.153.123, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=example:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Technology->[groups->false]]
 
2. [2018-06-18T13:08:11,397][DEBUG][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user CN returned no entries
[2018-06-18T13:08:11,397][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [c-shubhamg] not authenticated by LDAP [ldap1]
[2018-06-18T13:08:11,397][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamg rc: { ID:1686207621-1575972278#678, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.123, DA:172.21.153.123, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=example:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }

I will give you my configration.

(Ajit) #2

readonlyrest.yml

readonlyrest:

ssl:
  enable: true
  keystore_file: "/opt/Readonlyresttest/elasticsearch-6.2.4/config/keystore.jks"
  keystore_pass: readonlyrest
  key_pass: readonlyrest
  key_alias: elk01    #This is needed only when the keystore has multiple entries
audit_collector: true

access_control_rules:

- name: "::admin::"
  auth_key: admin:admin

- name: "::LOGSTASH::"
  auth_key: logstash:logstash
  actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
  indices: ["logstash-*"]

- name: "::KIBANA-SRV::"
  auth_key: kibana:kibana
  verbosity: error

- name: "Technology"
  kibana_access: admin
  groups: ["Technology"]
  indices: [".kibana","logstash-*"]
  
users:
- username: c-shubhamg
  groups: ["Technology"]
  ldap_authentication:
    name: ldap1
  
- username: c-ajitb
  groups: ["Technology"]
  ldap_authentication:
    name: ldap1


ldaps:

- name: ldap1
  host: "ad.example.com"
  port: 389                                                 # default 389
  ssl_enabled: false                                        # default true
  ssl_trust_all_certs: true                                 
  bind_dn: "CN=c-shubhamg,OU=Technology,OU=Corporate Technology,OU=Corporate Group,DC=ad,DC=example,DC=com"                 
  bind_password: "[email protected]"                       
  search_user_base_DN: "dc=ad,dc=example,dc=com"
  search_groups_base_DN: "dc=ad,dc=example,dc=com"
  user_id_attribute: "uid"                                  
  unique_member_attribute: "uniqueMember"          
  connection_pool_size: 10                                  
  connection_timeout_in_sec: 10                           
  request_timeout_in_sec: 10                               
  cache_ttl_in_sec: 60

elasticsearch.yml

bootstrap.system_call_filter: false
cluster.name: elasticsearch-cluster
node.name: node-1
network.host: example
http.type: ssl_netty4

kibana.yml

elasticsearch.username: “kibana”
elasticsearch.password: “kibana”
elasticsearch.url: “https://example:9200
elasticsearch.ssl.verificationMode: “none”

Please note that we have changed server names as “example” for security reasons.


(Ajit) #3

Hi,
Need your help. Waiting for your reply.


(Simone Scarduzio) #4

OK @ajit,

Now really the only thing remaining here is to configure the LDAP connector correctly. This is the part I can help you the less with, as LDAP servers can be configured in thousands ways, and personally I only used openLDAP, rather than Microsoft Active Directory.

Please note that many other customers already successfully managed to do connect ROR to AD. I vividly recommend to search this forum for examples.

The first I came across is this: LDAP Configuration for Active Directory


(Ajit) #5
Hi @sscarduzio,
We are able to authenticate LDAP users by ldap server. Please find below logs.

[2018-06-18T16:06:21,328][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS: }
[2018-06-18T16:06:21,328][DEBUG][t.b.r.a.b.Block          ] ^[[33m[::admin::] the request matches no rules in this block: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]] }^[[0m
[2018-06-18T16:06:21,328][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]] }
[2018-06-18T16:06:21,329][DEBUG][t.b.r.a.b.Block          ] ^[[33m[::LOGSTASH::] the request matches no rules in this block: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]] }^[[0m
[2018-06-18T16:06:21,329][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]] }
[2018-06-18T16:06:21,329][DEBUG][t.b.r.a.b.Block          ] ^[[33m[::KIBANA-SRV::] the request matches no rules in this block: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }^[[0m
[2018-06-18T16:06:21,329][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2018-06-18T16:06:21,329][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [c-shubhamG] with LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [c-shubhamG]  authenticated by LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [c-shubhamG] with LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [c-shubhamG]  authenticated by LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [c-shubhamG] with LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [c-shubhamG]  authenticated by LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.b.Block          ] ^[[33m[Corporate Group] the request matches no rules in this block: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Corporate Group->[groups->false]] }^[[0m
[2018-06-18T16:06:21,342][DEBUG][r.suppressed             ] path: /_nodes/_local, params: {nodeId=_local}
tech.beshu.ror.es.IndexLevelActionFilter$1$1: forbidden
        at tech.beshu.ror.es.IndexLevelActionFilter$1.onForbidden(IndexLevelActionFilter.java:165) ~[?:?]
        at tech.beshu.ror.acl.ACL.lambda$check$4(ACL.java:203) ~[?:?]
        at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) ~[?:1.8.0_111]
        at java.util.concurrent.CompletableFuture.uniApplyStage(CompletableFuture.java:614) ~[?:1.8.0_111]
        at java.util.concurrent.CompletableFuture.thenApply(CompletableFuture.java:1983) ~[?:1.8.0_111]
        at tech.beshu.ror.acl.ACL.check(ACL.java:198) ~[?:?]
 

Now Please provide proper solution.

(Ajit) #6

Hi @sscarduzio,
In above logs c-shubhamg user is authenticated by LDAP [ldap1]. But we are getting exception the request matches no rules in this block. Now, Where is the actual issue. Please reply on this thread. as soon as possible.


(Simone Scarduzio) #7

@ajit, the logs talk about a block of rules called “Corporate Group” which is not in the readonlyrest.yml you provided. Maybe you have been editing the YAML from the web GUI in Kibana? Keep in mind if you edit in the web GUI, changes are not reflected into the file.


(Akhilesh Tiwari) #8

Hi @sscarduzio

Finally we got success.
we are able to login with our LDAP.
Now our main focus on index authorisation.

Simone,Thanks for your support


(Simone Scarduzio) #9

@Akhilesh this is great news :slight_smile:
Good job guys!


(Ajit) #10

Hi @sscarduzio,

Thanks for your support, Now we got success in LDAP configuration.