ES with shield LDAP can't use LDAP group but can login with LDAP user

security

(Tingking23) #1

AS the topic name , i can't use LDAP group just can use LDAP user.
this is my role_mapping.yml:

admin:
- "cn=aaa,ou=groups,dc=company,dc=company"
- "cn=bbb,ou=people,dc=company,dc=company"

this is the elasticsearch.yml:
shield:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://ldap.company.com:389"
bind_dn: "cn=admin,dc=company,dc=company"
bind_password: changeme
user_search:
base_dn: "dc=company,dc=company"
attribute: cn
group_search:
base_dn: "dc=company,dc=company"
files:
role_mapping: "/elasticsearch/config/shield/role_mapping.yml"
unmapped_groups_as_roles: false

there is the logs: [warn] [shield.authc.ldap] [node1] authentication failed for user [admin] : failed LDAP authentication foe DN ["cn=admin,dc=company,dc=company"] cause: com.unboundid.ldap.sdk.LDAPException: invalid crentials

i can use bbb to login ES ,but can't use user of aaa group to login ES. anyone can help?


(Jay Modi) #2

Can you provide more of the logs around that exception including the stacktrace? Also, it appears as though either the bind_dn or bind_password is incorrect; the bind is failing for the user that is supposed to be doing the search. I'm not sure how any user is able to authenticate if that is the only realm you have defined.


(Tingking23) #3

there is no more logs for error or warn,what you mean stacktrace log is the indices-access.log? i add the shield.authc: TRACE in logging.yml but nothing happend. the aaa is admin for my LDAPserver,it is correct i am sure. i can use any LDAP user that i mappinged in the role_mapping.yml but the group. that means my companny has 100 people i must to add them all
to the role_mapping.yml,i think that's not a good way.
should i must to import the certificate of my ldap server into the truststore or keystore? i don't do this because we don't need that , our internet just local area network


(Jay Modi) #4

Can you share your logging.yml? There should be other log messages and a stacktrace in the normal elasticsearch log file (not the access log).

That's not what I am saying. We need to figure out why the group is not mapping, most likely because it is not being returned.

Yes you must. The certificate must be trusted otherwise connections will not work.


(Yashodhara) #5

@tingking23 @jaymode

Did you reslove this issue? At this moment i am facing the exact same issue, I can authenticate for individual user however not for the the group a user belongs to.

I have not done any sort of configuration with respect to securing the communication between shield & ldap server as i am testing things out i am looking to do this later.

Do let me know if because i did not secure the communication that the group information is not found for the user?

Here is my config -
shield:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://192.168.x.xxx:389"
bind_dn: "cn=admin,dc=xxxxxx,dc=com"
bind_password: xxxxx
user_search:
base_dn: "dc=xxxxxx,dc=com"
group_search:
base_dn: "dc=xxxxxx,dc=com"
files:
role_mapping: "/etc/elasticsearch/shield/role_mapping.yml"
unmapped_groups_as_roles: false

Here is my log from trace -

[2016-09-27 13:58:04,856][INFO ][gateway ] [node-1] recovered [26] indices into cluster_state
[2016-09-27 13:58:09,598][INFO ][watcher ] [node-1] starting watch service...
[2016-09-27 13:58:09,746][INFO ][watcher ] [node-1] watch service has started
[2016-09-27 13:58:09,786][INFO ][cluster.routing.allocation] [node-1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[logstash-2016.09.06][1], [logstash-2016.09.06][3]] ...]).
[2016-09-27 13:58:33,666][TRACE][shield.authc.esnative ] [node-1] cannot poll for user changes since security index [.security] does not exist
[2016-09-27 13:58:40,484][DEBUG][shield.authc.ldap ] [node-1] user not found in cache, proceeding with normal authentication
[2016-09-27 13:58:40,500][DEBUG][shield.authc.support ] [node-1] the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1]
[2016-09-27 13:58:40,501][DEBUG][shield.authc.support ] [node-1] the roles [[]], are mapped from the user [ldap] for realm [cn=Yashodhara Mandepu,ou=users,dc=xxxxxx,dc=com/ldap]
[2016-09-27 13:58:40,504][DEBUG][shield.authc.ldap ] [node-1] authenticated user [ymandepu], with roles [[]]
[2016-09-27 13:59:03,666][TRACE][shield.authc.esnative ] [node-1] cannot poll for user changes since security index [.security] does not exist
[2016-09-27 13:59:33,667][TRACE][shield.authc.esnative ] [node-1] cannot poll for user changes since security index [.security] does not exist

Please let me know.

Thanks


(Jay Modi) #6

You probably have a different LDAP schema. Wild guess, but maybe try:

shield:
    authc:
        realms:
            ldap1:
               ...
            group_search:
               base_dn: "dc=xxxxxx,dc=com"
               filter: "(&(objectclass=posixGroup)(memberUID={0}))"
               user_attribute: "uid"

(Yashodhara) #7

@jaymode

Yes Jay, that is the answer, it has worked.

one has to make sure the letter case is correct, in my case "memberUID" is "memberUid"

Thank you so much for the reply.


(system) #8