ReadonlyREST with LDAP

I’ve been looking at Wireshark and here is what i have found:

A successful request to the AD server is in the following format:

Filter: (&(objectClass=user)(|(sAMAccountName=someUser)(userPrincipalName=someUser@domain.local)))

Here is my current request:

Filter: (sAMAccountName=someUser)

Is there a way to change the filter?

There is no “uniqueMember” attribute in my LDAP group and there is no ‘testuser5’ in this group also. But how did find ‘testuser5’?

There is no way to change the filter. I’m not LDAP expert, but I think that the change isn’t necessary.

I will keep trying to make it work. Thanks!

@coutoPL is there a way to specify userPrincipalName as the bind attribute in the elasticsearch.yml file? I’ve looked the LDAP requests and the search is successful but I still cannot authenticate.

Did you try to do it in this way ?

ldaps:
- name: example_ldap_name
  ...
  user_id_attribute: "userPrincipalName"

I am not sure if this is correct, but I am suspecting that when I specify
user_id_attribute: "sAMAccountName"
It successfully find the users registry in the AD directory, but the query returns the userDistinguishedName. I think that I cannot authenticate because the LDAP is trying to match the sAMAccountName with the userDistinguishedName. Therefore I was trying to know if there is an attribute specifically for this part, like a user_bind_attribute:userDistinguishedName

What LDAP docker are you using? It would help me a lot

docker: osixia/openldap:1.1.7

In newest version (see PR: Feature/splitting ldap auth by coutoPL · Pull Request #207 · sscarduzio/elasticsearch-readonlyrest-plugin · GitHub) I’ve added logging on debug level to ldap client - maybe it will help you.

IMO you should also check our test ldap configuration:
https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/blob/master/src/test/resources/test_example.ldif

Thanks @coutoPL for adding this feature. I’ve downloaded but I’m getting errors when I try to build:

There were test failures: 24 suites, 77 tests, 6 suite-level errors [seed: A57D8356E509D0C7]

sth must be wrong with your docker environment.
(on OSX docker for mac isn’t very stable)

Is there a step by step on how to build the project correctly? Including some docker configurations?

Just got working, it was sth with my docker environment indeed.

@coutoPL this pull request just solved my problem! Now I can authenticate using my AD login. When are you going to update the master and release a new binary?

great. Today PR will be ready to merge.
You should talk to @sscarduzio when he’s going to release next version of ROR.

1 Like