LDAP auth and groups

keekz · July 7, 2015, 2:10pm

I seem to be having some difficulty with the ldap auth configuration of Shield. I'm able to successfully auth, but Shield appears to be seeing only a subset of LDAP groups available to the user.

Here's the Shield config I'm working with so far:

shield.authc:
    realms:
        esusers:
            type: esusers
            order: 0
        ldap1:
            type: ldap
            order: 1
            enabled: true
            url: 'ldaps://auth.company.com:636'
            user_dn_templates:
              - "cn={0},ou=Users,o=company"
            group_search:
                base_dn: "o=company"
            # commenting out the group_search section yields no ldap groups returned.

Here's my log snippet. Note: I've not yet set up roles; I need to get the full ldap group list first.

[2015-07-07 09:06:58,764][DEBUG][shield.authc.support     ] [Tailhook] the roles [[]], are mapped from these [ldap] groups [[cn=Test-Grp,ou=Groups,o=company, cn=All,ou=Groups,o=company, cn=lnx,ou=POSIXGroups,o=company]] for realm [ldap/ldap1]
[2015-07-07 09:06:58,775][DEBUG][shield.authc.ldap        ] [Tailhook] authenticated user [myusername], with roles [[]]

Shield appears to be seeing only a subset of the total ldap groups assigned to my user with only one group from each subtree.

jaymode · July 7, 2015, 5:38pm

Hi,

Could you let me know what version of Shield you are using and what LDAP server you are communicating with?

Without group_search settings defined, Shield attempts to retrieve the groups from a attribute on the user. With the group search, Shield will search the sub tree of the base dn for entries that have an objectClass of groupOfNames, groupOfUniqueNames, or group AND have uniqueMember or member set to the DN of your user.

What are the object classes of the groups you are also expecting to be returned?

-Jay

jaymode · July 7, 2015, 5:59pm

I just noticed that you may be using posixGroups based on your debug log message.

Can you try this configuration:

shield.authc:
    realms:
        esusers:
            type: esusers
            order: 0
        ldap1:
            type: ldap
            order: 1
            enabled: true
            url: 'ldaps://auth.company.com:636'
            user_dn_templates:
              - "cn={0},ou=Users,o=company"
            group_search:
                base_dn: "o=company"
                user_attribute: "uid"
                filter: "(&(objectclass=posixGroup)(memberUid={0}))"

The above configuration change will change the search to look for only posixGroups that have the user's uid as a value for memberUid.

keekz · July 7, 2015, 8:29pm

Thanks for the tip! I feel like I'm pretty close, it's just finding the right ldap filter for our setup. We have a mixture of POSIX and non-POSIX groups, so I need a filter that will pull them all.

I'm using the latest version of Shield and ES 1.6. We're not using openldap, although it appears to be mostly/fully openldap compatible, and I'm unsure of what version the ldap server is running. It does not seem to permit memberUid as a query, though. For example, this query yields no results:

ldapsearch -x -H ldaps://auth.company.com:636 "(&(cn=*)(memberUid=keekz))"

This query "works" in that it lists all the groups my user belongs to, however it lists all uniqueMembers of all the groups:

ldapsearch -x -H ldaps://auth.company.com:636 "(&(cn=*)(uniqueMember=cn=keekz,ou=Users,o=company))"

(snippet of one of the group outputs from the above query)

# vpn, Groups, company
dn: cn=vpn,ou=Groups,o=company
objectClass: groupOfNames
objectClass: Top
objectClass: posixGroup
uniqueMember: cn=usera,ou=Users,o=company
uniqueMember: cn=userb,ou=Users,o=company
uniqueMember: cn=userc,ou=Users,o=company
uniqueMember: cn=userd,ou=Users,o=company
uniqueMember: cn=keekz,ou=Users,o=company
cn: vpn

This ldapsearch query works to pull the groups for my user:

ldapsearch -xLLL -H ldaps://auth.company.com:636/ -b "o=company" "uid=keekz" groupMembership

Output:

dn: cn=keekz,ou=Users,o=company
groupMembership: cn=global,ou=Groups,o=company
groupMembership: cn=analytics,ou=Groups,o=company
groupMembership: cn=lnx-engineers,ou=POSIXGroups,o=company
groupMembership: cn=lnx-ops,ou=POSIXGroups,o=company
groupMembership: cn=vpn,ou=Groups,o=company
groupMembership: cn=github,ou=Groups,o=company

(and many other groups!)

I've been stuck on converting this to something that ES is able to use... but I'm so close! =P

jaymode · July 8, 2015, 12:04pm

So it looks like your ldap supports the attribute groupMembership on the user. I think the following configuration should work:

shield.authc:
    realms:
        esusers:
            type: esusers
            order: 0
        ldap1:
            type: ldap
            order: 1
            enabled: true
            url: 'ldaps://auth.company.com:636'
            user_dn_templates:
                - "cn={0},ou=Users,o=company"
            user_group_attribute: "groupMembership"

keekz · July 8, 2015, 3:55pm

That did the trick! Thanks so much, Jay!

I see the user_group_attribute setting does not appear in the Shield ldap documentation at https://www.elastic.co/guide/en/shield/current/ldap.html - hopefully we can get that added (I'm not sure if you work at Elastic and can get that updated).

For anyone else who might come across this discussion from a search, here's the working Shield config for our ldap authentication:

shield.authc:
    realms:
        esusers:
            type: esusers
            order: 0
        ldap1:
            type: ldap
            order: 1
            enabled: true
            url: 'ldaps://auth.company.com:636'
            user_dn_templates:
              - "cn={0},ou=Users,o=company"
            user_group_attribute: "groupMembership"

Works great. Thanks again, Jay!

jaymode · July 8, 2015, 4:13pm

I noticed that it was missing from our documentation also. I've logged an issue and will work on getting it added to the docs.