Hi @sscarduzio
Thank you for the suggestion, but nothing changed after I re-tested with 1.16.20-pre18
Here I’ll try to show my setup and logs as close to my real settings as possible:
So here is the rule and ldaps section:
- name: 'My rule'
ldap_auth:
name: 'ldap1'
groups: ['GROUP-2']
kibana_access: rw
kibana_index: '.kibana*'
indices: [ '*logstash*', '.kibana*' ]
actions: [ 'cluster:monitor/main', 'indices:admin/mappings/fields/get', 'indices:admin/validate/query', 'indices:admin/get' ]
ldaps:
- name: ldap1
host: 'ldap.organization.com'
#port: 636 # optional, default 389
ssl_enabled: false # optional, default true
ssl_trust_all_certs: true # optional, default false
bind_dn: 'cn=ldap,ou=xxxx,ou=smth,OU=Place\, Country,OU=ZZZ and VVVV,DC=organization,DC=com'
bind_password: 'bindpassword'
search_user_base_DN: 'OU=This and That,DC=organization,DC=com'
user_id_attribute: 'SAMAccountName'
search_groups_base_DN: 'OU=Floor,OU=Place,OU=My Groups,OU=XXX & YYYY,DC=organization,DC=com'
#unique_member_attribute: 'uniqueMember'
groups_from_user: true
connection_pool_size: 10 # optional, default 30
connection_timeout_in_sec: 10 # optional, default 1
request_timeout_in_sec: 10 # optional, default 1
cache_ttl_in_sec: 60 # optional, default 0 - cache disabled
tcpdump -A of the memberof request:
08:15:59.025934 IP 10.0.0.1.35702 > 192.168.1.1.ldap: Flags [P.], seq 105:244, ack 2719, win 271, options [nop,nop,TS val 562671899 ecr 886277594], length 139
E.....@.@.Ne
..H..B..v....t..t.k.... ......
!...4...0.....c...XCN=My User,OU=Users,OU=Floor,OU=Place,OU=This and That,DC=organization,DC=com
..
.............objectClass0
..memberOf
08:15:59.441694 IP 192.168.1.1.ldap > 10.0.0.1.35702: Flags [P.], seq 2719:3155, ack 244, win 258, options [nop,nop,TS val 886277595 ecr 562671899], length 436
E...u.@...{R..B.
..H...v.t.k..u(.....].....
4...!...0........d......XCN=My User,OU=Users,OU=Floor,OU=Place,OU=This and That,DC=organization,DC=com0..../0....)..memberOf1......]CN=GROUP-1,OU=Floor,OU=Place,OU=My Groups,OU=XXX & YYYY,DC=organization,DC=com.ZCN=GROUPA&B,OU=Floor,OU=Place,OU=My Groups,OU=XXX & YYYY,DC=organization,DC=com.\CN=GROUP-2,OU=Floor,OU=Place,OU=My Groups,OU=XXX & YYYY,DC=organization,DC=com0........e.....
And the debug log of the same request:
[2018-06-03T08:15:58,902][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: my.user rc: { ID:310685897--663038645#1010, TYP:SearchRequest, CGR:N/A, USR:my.user(?), BRS:false, KDX:null, ACT:indices:data/read/search, OA:10.0.0.2, DA:10.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search, CNT:{"version":true,"size":1,"query":{"bool":{"should":[{"bool":{"must":[{"term":{"_id":"5.6.8"}},{"term":{"_type":"config"}}]}},{"bool":{"must":[{"term":{"_id":"config:5.6.8"}},{"term":{"type":"config"}}]}},{"bool":{"must":[{"term":{"_id":"5.6.8"}},{"term":{"type":"config"}}]}}]}}}, HDR:{authorization=Basic XXXXXXXXXXXXXXXXXXXXX, Connection=keep-alive, Content-Length=279, content-type=application/json, Host=10.0.0.1:9200}, HIS:[Admin user->[auth_key->false]], [Kibana system user->[auth_key->false]], [Logstash rule->[auth_key->false]] }
[2018-06-03T08:15:59,024][DEBUG][t.b.r.a.d.l.u.UnboundidGroupsProviderLdapClient] LDAP search string: CN=My User,OU=Users,OU=Floor,OU=Place,OU=This and That,DC=organization,DC=com | groupsFromUserAttribute: memberOf
[2018-06-03T08:15:59,044][DEBUG][t.b.r.a.b.Block ] ESC[33m[My rule] the request matches no rules in this block: { ID:310685897--663038645#1010, TYP:SearchRequest, CGR:N/A, USR:my.user, BRS:false, KDX:null, ACT:indices:data/read/search, OA:10.0.0.2, DA:10.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search, CNT:{"version":true,"size":1,"query":{"bool":{"should":[{"bool":{"must":[{"term":{"_id":"5.6.8"}},{"term":{"_type":"config"}}]}},{"bool":{"must":[{"term":{"_id":"config:5.6.8"}},{"term":{"type":"config"}}]}},{"bool":{"must":[{"term":{"_id":"5.6.8"}},{"term":{"type":"config"}}]}}]}}}, HDR:{authorization=Basic XXXXXXXXXXXXXXXXXXXX, Connection=keep-alive, Content-Length=279, content-type=application/json, Host=10.0.0.1:9200}, HIS:[Admin user->[auth_key->false]], [Kibana system user->[auth_key->false]], [Logstash rule->[auth_key->false]], [My rule->[ldap_authorization->false]] }ESC[0m
[2018-06-03T08:15:59,050][DEBUG][r.suppressed ] path: /.kibana/_search, params: {index=.kibana}
tech.beshu.ror.es.IndexLevelActionFilter$1$1: Forbidden
at tech.beshu.ror.es.IndexLevelActionFilter$1.onForbidden(IndexLevelActionFilter.java:176) ~[?:?]
[...skip...]
[2018-06-03T08:15:59,088][INFO ][t.b.r.a.ACL ] ESC[35mFORBIDDEN by default req={ ID:310685897--663038645#1010, TYP:SearchRequest, CGR:N/A, USR:my.user, BRS:false, KDX:null, ACT:indices:data/read/search, OA:10.0.0.2, DA:10.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search, CNT:{"version":true,"size":1,"query":{"bool":{"should":[{"bool":{"must":[{"term":{"_id":"5.6.8"}},{"term":{"_type":"config"}}]}},{"bool":{"must":[{"term":{"_id":"config:5.6.8"}},{"term":{"type":"config"}}]}},{"bool":{"must":[{"term":{"_id":"5.6.8"}},{"term":{"type":"config"}}]}}]}}}, HDR:{authorization=Basic XXXXXXXXXXXXXXXXXXXXXXX, Connection=keep-alive, Content-Length=279, content-type=application/json, Host=10.0.0.1:9200}, HIS:[Admin user->[auth_key->false]], [Kibana system user->[auth_key->false]], [Logstash rule->[auth_key->false]], [My rule->[ldap_authorization->false]] } ESC[0m
Thank you