When using LDAP group based authentication and authorization, if the entered user id is not part of the AD groups configured in the ACL rule, ROR rejects the request (as expected). But in the ROR audit index, the user attribute is logged as null. So we wouldn’t know which user attempted that rejected request.
I am running ROR Free edition v1.16.28 on Win 2012 R2.
Looks like this issue is still present in the newer versions as well. Failed attempt logs does not include user id for LDAP authentication failures. I am testing with ES 7.2.0 and ROR 1.19.0.
Let me explain the scenario. Lets say we have a valid user, but user account is present in a different OU than what your ldap authentication is looking for. In such a case, when user attempts to enter their id/pwd, though its valid, it will not find a user match. In such a case, it will show forbidden error as no rules were satisfied, but in log, it will show user as not logged in header and userid field is not captured in the ROR audit log.
Other scenario could be straight forward where user is entering wrong id or valid id with wrong password. So it wont find a match against any rules. Again response will be forbidden, but the attempted user id is not logged anywhere.
I am using tech.beshu.ror.audit.instances.QueryAuditLogSerializer as audit serializer. This one has all the details that I need, except for cases of user id not being logged for above cases.
I think populating the user field also when no ACL block matches is a great enhancement to our audit log serializers (both plain text logs and JSON logs).
We could even think of reusing the same “user”/USR field, and operators can still distinguish between successful and attempted logins because the “final_state” field would be “FORBIDDEN”.
Completely agree. If user is reporting failures, it becomes very easy to troubleshoot the issue by looking at the audit log.
Also, on a related note, do you for see an issue, if were to add some default pipeline for the ROR audit template? We have a need to parse the query content being logged to pull few attributes from the executed query for few scenarios. So instead of writing custom log serializer, we are thinking of doing it via pipeline. Do you think will there be any overhead going this route?
Please see screen shot below. This is how my ROR data looks like where I am only running ROR ES without any ROR Kibana plugin. So I would get basic auth prompt in Chrome and entering invalid id/pwd combination does not log user id.
I am wondering if this is anywhere related to long standing Kibana issue where user auth header is not consistently passed. Its just a guess. In captured header, it says User not logged.
So I tried it on another server which has new version of ES and also has ROR Kibana plugin with basic auth prompt turned off. For failed attempts, its logging user id. In log, it will show user id with (attempted).
I also tried it from SOAP UI by passing incorrect password. Its logging the user id in this case as well similar to above case.
This may become a non issue once we start using ROR Kibana plugin in another 3-4 weeks. So I am okay with this not being addressed.
We were originally struggling with identifying failed login attempts by user. But eventually figured out that issue was due to user OU being different (see below issue). So even when user was part of AD group, they were unable to get past login prompt. But now with we rolling out the dashboard feature, we are getting more users from different OU and our ACL rules keep duplicating. So I would rather have you prioritize that issue over this user id issue