I am trying to use LDAP authentication and authorization in a single rule. But my id is not part of the group that I have given for authorization. But curl is still not throwing any error.
If I use basic authentication and do not pass the id/pwd in the CURL command, I can see the ROR forbidden error message. Now when I only have LDAP rules and no basic authentication rules, I don’t get any error and my CURL request is still getting processed. How do I verify that ROR is using the LDAP rules at all? In the logs, I could not see anything relevant in log as well.
Below is my ROR entries in elasticsearch.yml file.
# ReadonlyREST entries
http.type: ssl_netty4
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
ssl:
enable: true
# put the keystore in the same dir with elasticsearch.yml
keystore_file: "plugins/readonlyrest/mykeystore.jks"
keystore_pass: Password1
key_pass: Password1
access_control_rules:
- name: Accept requests to mydb from users with valid LDAP credentials, belonging to LDAP group
type: allow
verbosity: info
ldap_auth:
name: "ldap1"
groups: ["MY_ADGROUP_NAME"]
indices: ["mydb*"]
ldaps:
- name: ldap1
host: "xxxxx.xxxxxxxxxxx.com"
port: 389 # default 389
ssl_enabled: true # default true
ssl_trust_all_certs: true # default false
bind_dn: "cn=serviceid,dc=xxxxxxxxxxx,dc=com" # skip for anonymous bind
bind_password: "serviceidpwd" # skip for anonymous bind
search_user_base_DN: "ou=People,dc=xxxxxxxxxxx,dc=com"
user_id_attribute: "sAMAccountName" # default "uid"
search_groups_base_DN: "OU=xxxxx,OU=yyyyyyyy,OU=zzzz,OU=abcd,DC=corp,DC=xxxxxxxxxxx,DC=com"
unique_member_attribute: "member" # default "uniqueMember"
connection_pool_size: 10 # default 30
connection_timeout_in_sec: 10 # default 1
request_timeout_in_sec: 10 # default 1
cache_ttl_in_sec: 60 # default 0 - cache disabled
I found that if the LDAP server is down when settings are loaded, an exception will abort all the ACL initialisation. That would result in no ACL to be run when requests come.
You will have a fix today in 1.16.11-pre7 together with some performance optimisations I made for CERN in the weekend.
Still no luck. Even with new version, requests are going through even through my id is not part of the ad group. How do I verify if ROR is even intercepting these requests? I don’t see any entry in log after this
[2017-09-18T17:49:30,360][INFO ][o.e.p.r.e.ReloadableSettingsImpl] [CLUSTERWIDE SETTINGS] index settings not found. Will keep on using the local YAML file. Learn more about clusterwide settings at https://readonlyrest.com/pro.html
hi @sscarduzio, I have now upgraded to 1.16.11-pre9. Now I am seeing the error that the LDAP ACL block was not applied. How do I verify for what reason, the ACL is not being applied?
[2017-09-21T19:03:49,737][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin org.elasticsearch.plugin.readonlyrest.es.ReadonlyRestPlugin
[2017-09-21T19:03:49,997][INFO ][o.e.d.DiscoveryModule ] [ESURPPOC2-node1] using discovery type [zen]
[2017-09-21T19:03:50,489][INFO ][o.e.p.r.e.SettingsManagerImpl] Loaded good settings from config\readonlyrest.yml
[2017-09-21T19:03:50,871][ERROR][o.e.p.r.a.ACL ] Impossible to add block to ACL: Accept requests to mydb from users with valid LDAP credentials, belonging to LDAP group 'team2'
[2017-09-21T19:03:50,873][INFO ][o.e.p.r.e.IndexLevelActionFilter] Configuration reloaded - ReadonlyREST enabled
[2017-09-21T19:03:50,892][INFO ][o.e.p.r.e.IndexLevelActionFilter] Readonly REST plugin was loaded...
[2017-09-25T18:39:48,971][ERROR][o.e.p.r.a.ACL ] Impossible to add block to ACL: Accept requests to mydb from users with valid LDAP credentials, belonging to LDAP group 'team2' Reason: [InitializationException] LDAP binding problem
Finally, I had some breakthrough today. The original issue was with the way bind dn was provided in the config. Once I corrected it, I was able to see the ADDING BLOCK message. Once that was corrected, then I was able to login using my domain id and it was authentication and authorized based on rules setup. This was also a bit of trial and error. Normally, we login with domain\userid. But i have to use just user for this to work.
The only other thing pending now is to get the monitoring working. As per Elastic, monitoring will work only with no-security or with x-pack security. Once I have ROR, as per them, it wont work. Is that a true statement?
Below is the update from Elastic team member.
I have another thread open for this. Feel fee to reply directly on that thread.