LDAP connectivity not working

ajit · May 30, 2018, 9:55am

Hi,
We want to connect kibana with LDAP. I have done some configuration but getting exception impossible to add block to ACL. Need guidelines to setup LDAP connectivity. Below is my configuration.

readonlyrest:
    enable: true # optional, defaults=true if at least 1 "access_control_rules" block
    prompt_for_basic_auth: false
    
    ssl:
      enable: true
      keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries

    access_control_rules:

    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*"]

    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana

    - name: "::ADMIN::"
      auth_key: admin:admin
      # KIBANA ADMIN ACCESS NEEDED TO EDIT SECURITY SETTINGS IN ROR KIBANA APP!

    - name: Accept requests from users in group team1 on index1
      ldap_auth:
          name: "ldap1"                                       # ldap name from below 'ldaps' section
          groups: ["g1"]                                # group within 'ou=Groups,dc=example,dc=com'
      indices: ["index1"]

    ldaps:
    
    - name: ldap1
      host: "ad.crisil.com"
      port: 389                                                 # optional, default 389
      ssl_enabled: false                                        # optional, default true
      ssl_trust_all_certs: true                                 # optional, default false
      bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"                     # optional, skip for anonymous bind
      bind_password: iSTEVEJOBS17/                                 # optional, skip for anonymous bind
      search_user_base_DN: "ou=ad,dc=crisil,dc=com"
      user_id_attribute: "uid"                                  # optional, default "uid"
      search_groups_base_DN: "ou=ad,dc=crisil,dc=com"
      unique_member_attribute: "uniqueMember"                   # optional, default "uniqueMember"
      connection_pool_size: 10                                  # optional, default 30
      connection_timeout_in_sec: 10                             # optional, default 1
      request_timeout_in_sec: 10                                # optional, default 1
      cache_ttl_in_sec: 60                                      # optional, default 0 - cache disabled

Thanks,
Ajit

sscarduzio · May 30, 2018, 10:11am

Hi @ajit,

Please set up Elasticsearch in debug log mode, and grep for LDAP from the logs to see the single bind operations and the LDAP level errors.

ajit · May 30, 2018, 11:40am

Hi,
We have only one group in LDAP/active directory. Then how to give different permissions with different index access to particular user. My scenario is, I have to use LDAP connectivity for on authentication and I have only one group in LDAP. How can I create multiple groups in ROR and also in LDAP.
Scenario is simple i.e. I have to just use LDAP for authentication then How can I authorise different users with different actions and indexes. Do we have GUI for giving authorisation to LDAP users.
Please guide on this.

sscarduzio · May 30, 2018, 11:52am

This is a strange request, because this is exactly what groups are for. Can’t you simply manage groups with LDAP?

ajit · May 30, 2018, 2:24pm

Is there any way that I can use LDAP only for authentication. And I want authorisation mapping to users in kibana application. Because we cant manage LDAP groups. Please provide any solution if possible.

ajit · May 31, 2018, 7:07am

Can we use readonlyrest only for LDAP authentication. Authorisation should be handle at kibana level.

sscarduzio · May 31, 2018, 8:18am

Yes you can. See the example below: each user needs to be specified under the “users:” section

readonlyrest:

  ssl:
    keystore_file: "keystore.jks"
    keystore_pass: readonlyrest
    key_pass: readonlyrest

  audit_collector: true

  access_control_rules:
  - name: kibanaserver
    auth_key: kibana:kibana
    verbosity: error

   # One or more blocks to specify common permissions for group1
  - name: group1
    indices: [".kibana", "logstash-@{user}-*"]
    kibana_access: rw
    groups: ["group1"]

 # all the users->group associations are specified down here. User by user. 
  users:
  - username: morgan
    groups: ["group1"]
    ldap_authentication:
      name: ldap1

  - username: cartman
    groups: ["group1"]
    ldap_authentication:
      name: ldap1


  ldaps:
  - name: ldap1
    host: localhost
    port: 32896                                                 # default 389
    ssl_enabled: false                                        # default true
    ssl_trust_all_certs: true                                 # default false
    bind_dn: "cn=admin,dc=example,dc=com"                     # skip for anonymous bind
    bind_password: "password"                                 # skip for anonymous bind
    search_user_base_DN: "ou=People,dc=example,dc=com"
    search_groups_base_DN: "ou=Groups,dc=example,dc=com"
    user_id_attribute: "uid"                                  # default "uid"
    unique_member_attribute: "uniqueMember"                   # default "uniqueMember"
    connection_pool_size: 10                                  # default 30
    connection_timeout_in_sec: 10                             # default 1
    request_timeout_in_sec: 10                                # default 1
    cache_ttl_in_sec: 60                                      # default 0 - cache disabled

ajit · June 1, 2018, 10:01am

Hi,

readonlyrest:
    enable: true # optional, defaults=true if at least 1 "access_control_rules" block
    prompt_for_basic_auth: false
    
    ssl:
      enable: true
      keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries

    audit_collector: true

    access_control_rules:
    - name: kibanaserver
      auth_key: kibana:kibana
      verbosity: error

   # One or more blocks to specify common permissions for group1
    - name: group1
      indices: [".kibana", "logstash-@{user}-*"]
      kibana_access: rw
      groups: ["group1"]

 # all the users->group associations are specified down here. User by user. 
    users:
    - username: c-ajitb
      groups: ["group1"]
      ldap_authentication:
        name: ldap1

    - username: cartman
      groups: ["group1"]
      ldap_authentication:
        name: ldap1


    ldaps:
    - name: ldap1
      host: "ad.crisil.com"
      port: 389                                                 # default 389
      ssl_enabled: false                                        # default true
      ssl_trust_all_certs: true                                 # default false
      bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"                     # skip for anonymous bind
      bind_password: "May@2018"                                 # skip for anonymous bind
      search_user_base_DN: "OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      search_groups_base_DN: "OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      user_id_attribute: "sAMAccountName"                                  # default "uid"
      unique_member_attribute: "member"                   # default "uniqueMember"
      connection_pool_size: 10                                  # default 30
      connection_timeout_in_sec: 10                             # default 1
      request_timeout_in_sec: 10                                # default 1
      cache_ttl_in_sec: 60

Above code contains my configuration. Though I am not able to login using my LDAP credentials.
Please provide configuration only for authentication.

ajit · June 1, 2018, 11:05am

Hi we are almost done with configuration. Just LDAP configuration is not working. I have experience with x-pack. That was working fine for me.
I don’t want groups. Just enter username and password and authenticate user with LDAP. And from ReadonlyRest tab I will configure authorisation for that users. We don’t have groups on LDAP. So I don’t want to add group blocks in configuration. Need only LDAP configuration for authentication of users.

sscarduzio · June 1, 2018, 1:34pm

Hi @ajit,
I think for this non-standard configuration to work I just tested that you need some fixes that are not in your current ES plugin build. Please try again using this build:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.20_pre18/readonlyrest-1.16.20_pre18_es6.2.4.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20180601/eu-west-1/s3/aws4_request&X-Amz-Date=20180601T133404Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=d0d95bd0698fb0f2fa166a2e5e196d7c6d0eaf44cbf97ac4c61c7fc637ddf7dc

ajit · June 4, 2018, 6:32am

Hi, I will use this build but give me configuration for LDAP. As I have told you earlier that we have only one group in LDAP. So please edit my configuration and provide me final working configuration for LDAP. After that I should be able to login in kibana with all LDAP users. From kibana user I will set authorisation for LDAP users.

sscarduzio · June 4, 2018, 12:16pm

@ajit my example was about two users “cartman” and “morgan” that belong to a single group “group1” LDAP. Just replace “group1” with whatever your single group is called and create an entry under “user” for each LDAP user you have.

ajit · June 4, 2018, 1:30pm

Hi,
I have tried all combinations for group name. Though I am not able to login with LDAP user.
Getting exception “️ Could not login: Forbidden (403)” .
Also while starting elasticsearch and kibana I am not getting any LDAP related configuration on the console.

Below is my configuration snippet.

readonlyrest:
    enable: true # optional, defaults=true if at least 1 "access_control_rules" block
    prompt_for_basic_auth: false
    
    ssl:
      enable: true
      keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries

    audit_collector: true

    access_control_rules:
    - name: kibanaserver
      auth_key: kibana:kibana
      verbosity: error

   # One or more blocks to specify common permissions for group1
    - name: group1
      indices: [".kibana", "logstash-@{user}-*"]
      kibana_access: rw
      groups: ["OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"]

 # all the users->group associations are specified down here. User by user. 
    users:
    - username: c-ajitb
      groups: ["OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"]
      ldap_authentication:
        name: ldap1

    - username: c-akhilesht
      groups: ["OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"]
      ldap_authentication:
        name: ldap1


    ldaps:
    - name: ldap1
      host: "ad.crisil.com"
      port: 389                                                 # default 389
      ssl_enabled: false                                        # default true
      ssl_trust_all_certs: true                                 # default false
      bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"                     # skip for anonymous bind
      bind_password: "May@2018"                                 # skip for anonymous bind
      search_user_base_DN: "OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      search_groups_base_DN: "OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      #user_id_attribute: "uid"                                  # default "uid"
      #unique_member_attribute: "uniqueMember"                   # default "uniqueMember"
      #connection_pool_size: 10                                  # default 30
      #connection_timeout_in_sec: 10                             # default 1
      #request_timeout_in_sec: 10                                # default 1
      #cache_ttl_in_sec: 60

Note: I have installed new build that you have given.

sscarduzio · June 4, 2018, 4:28pm

Why did you do this? What does it mean? You just have to put the group name between double quotes.

sscarduzio · June 4, 2018, 4:31pm

@ajit please keep in mind that if you want me to do this on your machine, Beshu Limited (our company) can provide professional services, and bill you accordingly.

ajit · June 5, 2018, 8:00am

Hi, Now I am able to login with LDAP users. But not able to see any screen after login. Getting alert no identity metadata found. I want index1 should be accessible to only one group (Technology). Please provide authorisation solution for group. Below is my configuration.

readonlyrest:
prompt_for_basic_auth: false

ssl:
  enable: true
  keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
  keystore_pass: readonlyrest
  key_pass: readonlyrest
  key_alias: elk01    #This is needed only when the keystore has multiple entries

audit_collector: true
access_control_rules:

users:
- username: c-ShubhamG
  groups: ["Technology"]
  ldap_authentication:
    name: ldap1
  indices: [".kibana","index1"]

ldaps:
- name: ldap1
  host: "ldap://ad.crisil.com:389"
  port: 389
  ssl_enabled: false                          
  ssl_trust_all_certs: true
  bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
  bind_password: "May@2018"
  search_user_base_DN: "dc=ad,dc=crisil,dc=com"
  search_groups_base_DN: "dc=ad,dc=crisil,dc=com"

ajit · June 5, 2018, 8:20am

Is there any missing in configuration. Now able to login but getting metadata not found exception. And there is nothing like reordering in ACL blocks. Because I have only one block in configuration. Please provide solution on the authorisation. In the configuration I have changed host. And now groups, host, port everything is proper from LDAP side. Please let me know anything missing.

sscarduzio · June 5, 2018, 8:23am

that YAML does not make sense because there is no ACL block.

A correct example would be the following. Notice how the entries under “users” do not contain anything but “groups” and authentication related rules.

And all the constraints like “indices”, “kibana_access” etc, should go under an ACL block, under “access_control_rules”

access_control_rules:

# START OF ACL BLOCKS
- name: "BLOCK1: Kibana server"
  auth_key: "kibana:kibana"

- name: "BLOCK2: Allow Technology group"
  groups: ["Technology"]
  indices: [".kibana", "index1"]

# END OF ACL BLOCKS

users:

# BEGIN OF USERS 

- username: c-ShubhamG
  groups: ["Technology"]
  ldap_authentication:
    name: ldap1

# END OF USERS

ldaps:
....

ajit · June 5, 2018, 11:11am

Hi,
In this case I am getting exception caused by LDAPException An error occurred while attempting to resolve address ‘ldap://ad.crisil.com:389’: UnknownHostException(message='ldap://ad.crisil.com:389: Name or service

But in my configuration I am able to login with LDAP users means host : ‘ldap://ad.crisil.com:389’ is proper and working fine.
In your case its giving exception. Please suggest on this.

sscarduzio · June 5, 2018, 3:10pm

how do you know that it’s actually going to LDAP and being successful in the first case?