[QUESTION] Help needed to get LDAP auth working


(Askids) #1

hi,

I am trying to use LDAP authentication and authorization in a single rule. But my id is not part of the group that I have given for authorization. But curl is still not throwing any error.

If I use basic authentication and do not pass the id/pwd in the CURL command, I can see the ROR forbidden error message. Now when I only have LDAP rules and no basic authentication rules, I don’t get any error and my CURL request is still getting processed. How do I verify that ROR is using the LDAP rules at all? In the logs, I could not see anything relevant in log as well.

Below is my ROR entries in elasticsearch.yml file.

    # ReadonlyREST entries
    http.type: ssl_netty4
    readonlyrest:
        enable: true 
        response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
        
        ssl:
          enable: true
          # put the keystore in the same dir with elasticsearch.yml 
          keystore_file: "plugins/readonlyrest/mykeystore.jks"
          keystore_pass: Password1
          key_pass: Password1
       
        access_control_rules:
       
        - name: Accept requests to mydb from users with valid LDAP credentials, belonging to LDAP group
          type: allow
          verbosity: info  
          ldap_auth:
            name: "ldap1"
            groups: ["MY_ADGROUP_NAME"]
          indices: ["mydb*"]

        ldaps:
        
        - name: ldap1
          host: "xxxxx.xxxxxxxxxxx.com"
          port: 389                                                 # default 389
          ssl_enabled: true                                         # default true
          ssl_trust_all_certs: true                                 # default false
          bind_dn: "cn=serviceid,dc=xxxxxxxxxxx,dc=com"             # skip for anonymous bind
          bind_password: "serviceidpwd"                                 # skip for anonymous bind
          search_user_base_DN: "ou=People,dc=xxxxxxxxxxx,dc=com"
          user_id_attribute: "sAMAccountName"                       # default "uid"
          search_groups_base_DN: "OU=xxxxx,OU=yyyyyyyy,OU=zzzz,OU=abcd,DC=corp,DC=xxxxxxxxxxx,DC=com"
          unique_member_attribute: "member"                         # default "uniqueMember"
          connection_pool_size: 10                                  # default 30
          connection_timeout_in_sec: 10                             # default 1
          request_timeout_in_sec: 10                                # default 1
          cache_ttl_in_sec: 60                                      # default 0 - cache disabled

Thanks!


(Simone Scarduzio) #2

I found that if the LDAP server is down when settings are loaded, an exception will abort all the ACL initialisation. That would result in no ACL to be run when requests come.

You will have a fix today in 1.16.11-pre7 together with some performance optimisations I made for CERN in the weekend.


(Askids) #3

@sscarduzio Thank you. I will give it a shot today and update back on this thread.


(Askids) #4

Still no luck. Even with new version, requests are going through even through my id is not part of the ad group. How do I verify if ROR is even intercepting these requests? I don’t see any entry in log after this

[2017-09-18T17:49:30,360][INFO ][o.e.p.r.e.ReloadableSettingsImpl] [CLUSTERWIDE SETTINGS] index settings not found. Will keep on using the local YAML file. Learn more about clusterwide settings at https://readonlyrest.com/pro.html 

My issue looks similar to the one reported below.


(Askids) #5

hi @sscarduzio, I have now upgraded to 1.16.11-pre9. Now I am seeing the error that the LDAP ACL block was not applied. How do I verify for what reason, the ACL is not being applied?

[2017-09-21T19:03:49,737][DEBUG][o.e.a.ActionModule       ] Using REST wrapper from plugin org.elasticsearch.plugin.readonlyrest.es.ReadonlyRestPlugin
[2017-09-21T19:03:49,997][INFO ][o.e.d.DiscoveryModule    ] [ESURPPOC2-node1] using discovery type [zen]
[2017-09-21T19:03:50,489][INFO ][o.e.p.r.e.SettingsManagerImpl] Loaded good settings from config\readonlyrest.yml
[2017-09-21T19:03:50,871][ERROR][o.e.p.r.a.ACL            ] Impossible to add block to ACL: Accept requests to mydb from users with valid LDAP credentials, belonging to LDAP group 'team2'
[2017-09-21T19:03:50,873][INFO ][o.e.p.r.e.IndexLevelActionFilter] Configuration reloaded - ReadonlyREST enabled
[2017-09-21T19:03:50,892][INFO ][o.e.p.r.e.IndexLevelActionFilter] Readonly REST plugin was loaded...

(Simone Scarduzio) #6

Good point @askids, I added the exception type and message to the log line now. It will be in the next build.


(Askids) #7

@sscarduzio, I see that a new release build is available. Is detailed logging available in this version?


(Simone Scarduzio) #8

yes it’s there, you can test it and see.


(Askids) #9

Ok. Will test and update back on this thread. Thanks!


(Askids) #10

This is what I see in the logs now.

[2017-09-25T18:39:48,971][ERROR][o.e.p.r.a.ACL ] Impossible to add block to ACL: Accept requests to mydb from users with valid LDAP credentials, belonging to LDAP group 'team2' Reason: [InitializationException] LDAP binding problem


(Askids) #11

Finally, I had some breakthrough today. The original issue was with the way bind dn was provided in the config. Once I corrected it, I was able to see the ADDING BLOCK message. Once that was corrected, then I was able to login using my domain id and it was authentication and authorized based on rules setup. This was also a bit of trial and error. Normally, we login with domain\userid. But i have to use just user for this to work.

The only other thing pending now is to get the monitoring working. As per Elastic, monitoring will work only with no-security or with x-pack security. Once I have ROR, as per them, it wont work. Is that a true statement?

Below is the update from Elastic team member.

I have another thread open for this. Feel fee to reply directly on that thread.

Thanks again for all your help!