[SUPPORT|kbn_ent] ldap and parentheses

driveirk · December 29, 2023, 4:38pm

Support request

ROR Version: Enterprise 1.53.0_es7.15.1

Kibana Version: 7.15.1

Elasticsearch Version: 7.15.1

Steps to reproduce the issue
Create an ldap group using a parentheses.
For example my-groups (test)

Actual Result:
Forbiden

[2023-12-28T18:54:12,183][ERROR][tech.beshu.ror.accesscontrol.blocks.definitions.ldap.implementations.UnboundidLdapNestedGroupsService] [server01] LDAP getting groups of [my-groups (test)] group returned error; Unable to parse string '(&(cn=*)(member=CN=my-groups (test),OU=aaa,OU=Groups,OU=company,DC=office,DC=company,DC=com))' as an LDAP filter because it contains an unexpected opening parenthesis at position 62.
[2023-12-28T18:54:12,183][ERROR][tech.beshu.ror.accesscontrol.blocks.definitions.ldap.implementations.UnboundidLdapAuthorizationService] [server01] LDAP getting user groups returned error; Unable to parse string '(&(cn=*)(member=CN=my-groups (test),OU=aaa,OU=Groups,OU=company,DC=office,DC=company,DC=com))' as an LDAP filter because it contains an unexpected opening parenthesis at position 62.

and next error

Basic Kibana and regular indices access for all Office users: ldap_authentication rule matching got an error Rejected because the CircuitBreaker is in the Open state, attempting to close in 9217 millis

All users are loggouted.

Expected result:
Minimally, only the user who is in the problem group is not allowed in and there are no problems with LDAP.
It would be better if you allow the use of parentheses and other permitted characters in LDAP.

{“customer_id”: “6c4a385b-2ae8-4f02-a9cd-ef24addfb5b3”, “subscription_id”: “32d4073f-dc2f-4056-a868-842727c637cd”}

coutoPL · December 29, 2023, 7:46pm

Thanks for the report. It seems that parentheses are not escaped correctly. We will fix it before releasing ROR 1.55.0.

driveirk · January 2, 2024, 3:42pm

Another example where the group is disabled.

Allow Kibana and regular indices access for AD users in disable group: ldap_authorization rule matching got an error Unable to parse string '(&(cn=*)(member=CN=disable group,OU=Groups (Disabled),OU=company,DC=office,DC=company,DC=com))' as an LDAP filter because it contains an unexpected opening parenthesis at position 47.
com.unboundid.ldap.sdk.LDAPException: Unable to parse string '(&(cn=*)(member=CN=disable group,OU=Groups (Disabled),OU=company,DC=office,DC=company,DC=com))' as an LDAP filter because it contains an unexpected opening parenthesis at position 47

driveirk · January 4, 2024, 1:08pm

@coutoPL Please clarify that this bug also affected 1.49.1?
I downgraded to 1.49.1, but the error remained.
Any information on when 1.55.0 will be released?

driveirk · January 4, 2024, 6:36pm

I found the problem. When disable
nested_groups_depth: 3
the error disappears.

coutoPL · January 4, 2024, 10:34pm

ROR 1.55.0 release should be expected within 2 weeks.
But I will send you a pre-build with the fix earlier.

coutoPL · January 10, 2024, 7:20pm

It’s fixed. Here is a pre-build to test: ROR 1.55.0-pre2 for ES 7.15.1

driveirk · January 18, 2024, 5:32pm

The tests were successful, we are waiting for the release of a stable version.

coutoPL · January 18, 2024, 8:28pm

The release will be done within a week or so.