Nested_groups_depth doesn`t work in AD

andrii.yermakov · October 25, 2023, 10:29am

Hello,

elasticsearch and kibana version: 8.7.1
readonlyrest version: 1.52

readonlyrest:
  response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
  prompt_for_basic_auth: false
  access_control_rules:

  - name: "local user: elasticsearch"
    type: allow
    auth_key: mydomain-elasticsearch:PASSWORD

  - name: "local user: kibana"
    kibana:
      access: unrestricted
    type: allow
    auth_key: kibana_system:PASSWORD

  - name: "kibana users"
    kibana_access: "admin"
    proxy_auth:
      proxy_auth_config: "myproxy"
      users: ["*"]
    ldap_authorization:
      name: "myldap"
      groups: ["mydomain-log-users"]
  
  proxy_auth_configs:
  - name: "myproxy"
    user_id_header: "X-Forwarded-User"
  
  ldaps:
  - name: myldap
    host: "mydomain.local"
    port: 3268
    ssl_enabled: false
    ssl_trust_all_certs: true
    ignore_ldap_connectivity_problems: true
    bind_dn: "BIND_DN"
    bind_password: "PASSWORD"
    search_user_base_DN: "BASE_DN"
    user_id_attribute: "sAMAccountName"
    search_groups_base_DN: "GROUP_BASE_DN"
    unique_member_attribute: "member"
    connection_pool_size: 20
    connection_timeout: 1s
    request_timeout: 2s
    cache_ttl_in_sec: 300
    group_search_filter: "(objectClass=group)(|(CN=mydomain-log-*)(CN=Domain Admins))"
    nested_groups_depth: 3
    group_name_attribute: "cn"
    circuit_breaker:
      max_retries: 2
      reset_duration: 5s

I have the situation when I have the group “mydomain-log-users” and the group “db-engineers” inside “mydomain-log-users”. My goal - let the users in group “db-engineers” get the access to “kibana users” access rule (to avoid add all users from group “db-engineers” directly to the group “mydomain-log-users”). I add the “nested_groups_depth: 3” parameter, but the users from the “db-engineers” group don`t have access.

The Elasticsearch log when I cannot login:

{"@timestamp":"2023-10-25T09:26:33.543Z", "log.level": "INFO", "message":"\u001B[35mFORBIDDEN by default req={ ID:147697960-1895344749#2211785, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:internal_ror/user_metadata/get, OA:10.244.5.152/32, XFF:null, DA:10.244.132.12/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Connection=close, Host=mydomain-elasticsearch-elk:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, elastic-apm-traceparent=00-ea46aa55395e8a75ad0c-94edf2ffc2a3650e-00, traceparent=00-ea46aebea553933005ad442f0c-943650e-00, tracestate=es=s:0, x-forwarded-user=testuser, HIS:[local user: elasticsearch-> RULES:[auth_key->false]], [local user: kibana-> RULES:[auth_key->false]], [kibana users-> RULES:[proxy_auth->true, ldap_authorization->false] RESOLVED:[user=testuser]], }\u001B[0m", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"scala-execution-context-global-46","log.logger":"tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator","elasticsearch.cluster.uuid":"dXGIF-jaSJ64pwNFPAHA","elasticsearch.node.id":"r1ZjM-bCcrmV-RK8xdA","elasticsearch.node.name":"mydomain-elasticsearch-elk-0","elasticsearch.cluster.name":"mydomain-elasticsearch"}

Where is my wrong actions, please help to fix it.

Thanks in advance.

coutoPL · October 25, 2023, 5:56pm

Hi @andrii.yermakov

Please enable debug ES logs reproduce the behavior and send us the ES logs to analyze.

andrii.yermakov · October 26, 2023, 10:06am

Hello, I set the debug logging mode and catch the following when tried to login:

{"@timestamp":"2023-10-26T09:08:23.878Z", "log.level":"DEBUG", "message":"Trying to fetch user [id=testuser] groups from LDAP [ldap-VQ]", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"scala-execution-context-global-46","log.logger":"tech.beshu.ror.accesscontrol.blocks.definitions.ldap.LoggableLdapAuthorizationServiceDecorator","elasticsearch.cluster.uuid":"dXGIF-jaSJ64pj4wNFPAHA","elasticsearch.node.id":"r1ZjM-btQVCcrmV-RK8xdA","elasticsearch.node.name":"mydomain-elasticsearch-elk-0","elasticsearch.cluster.name":"mydomain-elasticsearch"}
{"@timestamp":"2023-10-26T09:08:23.878Z", "log.level":"DEBUG", "message":"LDAP [ldap-VQ] returned for user [testuser] following groups: []", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"scala-execution-context-global-46","log.logger":"tech.beshu.ror.accesscontrol.blocks.definitions.ldap.LoggableLdapAuthorizationServiceDecorator","elasticsearch.cluster.uuid":"dXGIF-jaSJ64pj4wNFPAHA","elasticsearch.node.id":"r1ZjM-btQVCcrmV-RK8xdA","elasticsearch.node.name":"mydomain-elasticsearch-elk-0","elasticsearch.cluster.name":"mydomain-elasticsearch"}
{"@timestamp":"2023-10-26T09:08:23.878Z", "log.level":"DEBUG", "message":"\u001B[33m[kibana users] the request matches no rules in this block: { ID:233685682-1861210110#2848, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:internal_ror/user_metadata/get, OA:10.244.5.152/32, XFF:null, DA:10.244.132.33/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Connection=close, Host=mydomain-elasticsearch-elk:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, elastic-apm-traceparent=00-3a5fb03482f3f16c56f80873c9f49d56-99c13193a9ade7e0-00, traceparent=00-3a5fb03482f3f16c56f80873c9f49d56-99c13193a9ade7e0-00, tracestate=es=s:0, x-forwarded-user=testuser, HIS:[kibana users-> RULES:[proxy_auth->true, ldap_authorization->false] RESOLVED:[user=testuser]], } \u001B[0m", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"scala-execution-context-global-46","log.logger":"tech.beshu.ror.accesscontrol.blocks.Block","elasticsearch.cluster.uuid":"dXGIF-jaSJ64pj4wNFPAHA","elasticsearch.node.id":"r1ZjM-btQVCcrmV-RK8xdA","elasticsearch.node.name":"mydomain-elasticsearch-elk-0","elasticsearch.cluster.name":"mydomain-elasticsearch"}

So, I think that if my group search filter does not included the needed group - LDAP returns no group available because they don`t match with my group filter (my user in in the ‘db-engineers’ group)

group_search_filter: "(objectClass=group)(|(CN=mydomain-log-*)(CN=Domain Admins))"

When I add the ‘db-engineers’ group to group search filter - it returns

"LDAP [ldap-VQ] returned for user [testuser] following groups: [db-engineers,mydomain-log-users]"

and user was able to login.

But the groups can be various in my parent group ‘mydomain-log-users’ and I cannot add all of them.

coutoPL · October 26, 2023, 6:51pm

So, we cannot say that ROR’s LDAP functions improperly?
It’s hard for me to say what’s wrong with your configuration because I need to know your LDAP groups’ and users’ structure to figure it out.

Maybe you don’t need to define the group_search_filter at all? Please take a look at our docs. Notice we have two modes for searching user’s groups - groups could come from LDAP Groups entries or LDAP user entries. The configuration differs.

coutoPL · October 26, 2023, 6:52pm

and BTW. you should find a debug log like that too:

LDAP search [base DN: ..., scope: ..., search filter: ..., attributes: ...]

This is a search call to LDAP. In the case of nested groups, you will see more than one.

andrii.yermakov · November 14, 2023, 4:58pm

Thanks, I change the group_search_filter to “(objectClass=group)(CN=*)” , define nested_groups_depth: 1 and use only 1 nesting for it, it works and more clearly for using.

sscarduzio · November 16, 2023, 10:09am

well done @andrii.yermakov !