Hello,
Here I come back with some feedback from my tests (es 2.4.5 , kibana 4.6.4, RoR 15.1 ) :
First, nice work , it is top feature.
I just had to change some stuff in configuration because I am using some MS ldap.
I also tested on basic authentication, not with kibana plugin.
The points I think need to be improved (or I was not able to fix by myself) :
1- Using a username formatted like “DOMAIN\toto” generates an error in logs, regarding parsing username.
[2017-06-27 13:31:11,350][ERROR][plugin.readonlyrest.ldap.unboundid] LDAP getting user operation failed
LDAPException(resultCode=87 (filter error), errorMessage=‘Invalid hex character ‘t’ encountered at position 12.’)
at com.unboundid.ldap.sdk.Filter.readEscapedHexString(Filter.java:1905)
at com.unboundid.ldap.sdk.Filter.create(Filter.java:1681)
In my opinion, this should be escaped, or else a parse should be done to ignore characters from 0 to the "" included.
In the futur, it could be an idea to use this part to identify which domain the user belong to, and then to test against.
2- username/password for ldap account to connect to ldap server are stored in clear in elasticsearch.yml
This point should be addressed in a futur step.
3- If in the case of one of ldap server is not reachable, elasticsearch will refuse to start.
[2017-06-28 15:26:17,924][ERROR][bootstrap ] Guice Exception: org.elasticsearch.plugin.readonlyrest.ldap.LdapClientException$InitializationException: LDAP connection problem
Likely root cause: java.net.UnknownHostException: superdc03.enovos.root.corp
in my opinion, a warning should be raised, but it should not prevent Es to start :
My opinion is we should be able to mix RoR local authentication/authorization, and ldap authentication/authorization.
If ldap(s) are not reachable, they should be skipped.
4- If in the case of credential are wrong for a ldap configuration, elasticsearch refuses to start.
in my opinion, a warning should be raised, but it should not prevent Es to start :
My opinion is we should be able to mix RoR local authentication/authorization, and ldap authentication/authorization.
If ldap(s) are not reachable or not testable, they should be skipped.
5- I see that ldap tcp session are established permanently. I could not test what happens if ldap connection is lost and the ldap server remains unreachable.
I tested by cutting out local network of ES, but no message came in log, and was able to woke RoR. (this could be a good result, it seems (behavior) RoR is bypassing ldap authentication and working only with lcoal account)
More test must be done.
6- I see that nested groups are not supported , same with users (forest wide) :
I mean :
ldap connector defined to domain A
having a local group in domain A
having a domain B user in the domain A local group.
well it is unable to authenticate in RoR
here a discussion about that kind of point, in another project.
7- To workaround the point 5 , I have to create 2 ldaps entries, one for domain A, and one for domain B, and I have to duplicate the RoR block , and to change ldap_authorization and ldap_authentication entries.
it is not a problem with 2-3 domain, but here with 14 domains, it could be … mmmh you can imagine.
maybe some improvement can be analysed.
8- Error message regarding ldap initialisation, in logs are not enough explicit : in fact, I have the message like invalid credential, but I do not know which one of ldap blocks is generating the issue…
9- Questions : I did not find how to make working ldap authentication by group membership.
In fact, using Microsoft active directory, does not contain attribute uid and unique_member.
then for now , I am able to login when using a username, against a user in an OU.
here my example of configuration.
- name: ADldap host: "FQDNOfAD" port: 389 ssl_enabled: false ssl_trust_all_certs: true bind_dn: "CN=svc_elk_ldap,OU=Service_Account,OU=Admin,DC=xxx,DC=xxx,DC=xxx" bind_password: "blahblah" search_user_base_DN: "OU=ELK,OU=Service_Account,DC=xxx,DC=xxx,DC=xxx" user_id_attribute: "sAMAccountName" search_groups_base_DN: "OU=ELKG,OU=Service_Account,DC=xxx,DC=xxx,DC=xxx" unique_member_attribute: "member" connection_pool_size: 10 connection_timeout_in_sec: 10 request_timeout_in_sec: 10 cache_ttl_in_sec: 60
the user tries to login using is accountname toto.r
in ldap query against a group, my result is :
member : CN=Toto Robert TheBest,OU=Test_purpose,OU=users,DC=xxx,DC=xxx,DC=xxx
of course it does not work.
10- special characters in password prevent the module to run correctly. ( aka , ; : @# / \ )
these should be escaped. to easier the operation, I would suggest to work in other way : Escape everything except alphanumeric ( because of german character, russian character, and last but not least, asian character…)
regarding point 10 , I found this at oracle , I dunno if it can help , but maybe the last part of document
http://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html
so, for now, that’s enough keeping testing