LDAP - Authentication works, Authorization doesn't

contactimtiaz · January 4, 2016, 4:19pm

Hi
I am trying to validate a simple LDAP setup on ElasticSearch with the SHIELD plugin. My Kibana setup is configured to use a LDAP user which in turn is configured and mapped to a role in ElasticSearch's role_mapping.yml file and that role has a corresponding entry in the roles.yml file. I also turned on DEBUG/TRACE logging on ElasticSearch. I can see that my LDAP user is authenticated, however it fails authorization with the following messages:

==> /data/ES/logs/es.log <==
[2016-01-04 15:42:19,955][DEBUG][shield.authc.ldap        ] [dataless-node] authenticated user [ldapuser1], with roles [[]]

[2016-01-04 15:42:19,956][INFO ][rest.suppressed          ] /_nodes Params: {settings_filter=shield.hide_settings,shield.ssl.*,shield.authc.realms.ldap1.bind_dn,shield.authc.realms.ldap1.bind_password,shield.authc.realms.ldap1.hostname_verification,transport.profiles.default.shield.*}
ElasticsearchSecurityException[action [cluster:monitor/nodes/info] is unauthorized for user [ldapuser1]]
	at org.elasticsearch.shield.support.Exceptions.authorizationError(Exceptions.java:45)
	at org.elasticsearch.shield.authz.InternalAuthorizationService.denialException(InternalAuthorizationService.java:294)
	at org.elasticsearch.shield.authz.InternalAuthorizationService.denial(InternalAuthorizationService.java:268)
	at org.elasticsearch.shield.authz.InternalAuthorizationService.authorize(InternalAuthorizationService.java:129)
	at org.elasticsearch.shield.action.ShieldActionFilter.apply(ShieldActionFilter.java:105)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:99)
	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:77)
	at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
	at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
	at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
.
.
.
.

==> /data/ES/logs/shield-access.log <==
[2016-01-04 15:42:19,955] [dataless-node] [transport] [access_denied]	origin_type=[rest], origin_address=[x.x.x.x], principal=[ldapuser1], action=[cluster:monitor/nodes/info], request=[NodesInfoRequest]

It seems like my roles or role_mapping entries are not being considered.

My LDAP config in elasticsearch.yml:

shield:
  authc:
    realms:
      ldap1:
        type: ldap
        order: 0
        url: "ldap://xxxx.xxxx.xxxx.xxxx:yyyy"
        bind_dn: "uid=xxxx,ou=xxxx xxxx,o=xxxx.xxxx"
        bind_password: xxxx
        user_search:
          base_dn: "o=xxxx.xxxx"
          attribute: xxxx
        group_search:
          base_dn: "o=xxxx.xxxx"
        files:
          role_mapping: "/etc/elasticsearch/shield/role_mapping.yml"
        unmapped_groups_as_roles: false

My configured role in roles.yml:

# LDAP user role
 ldap_users:
   cluster: all
   indices:
     '*':
       privileges: all

My configured mapping in role_mapping:

ldap_users:
    - "cn=ldapuser1,ou=xxxx xxxx,o=xxxx.xxxx"

Appreciate any insight.

Thanks

CraigFoote · January 4, 2016, 7:31pm

This sounds very similar to the issue I'm currently discussing at Action indices:data/read/mget is unauthorized but privilege listed.

jaymode · January 5, 2016, 11:34am

In your debug logs do you see a line like the following:

the roles [], are mapped from the user [<your user's dn>] for realm []

If so, does the DN match what you have in the role mapping file?

contactimtiaz · January 5, 2016, 3:13pm

As a matter of fact, I do:

[2016-01-04 19:37:34,852][DEBUG][shield.authc.support ] [dataless-node] the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1]

It seems to be looking for ldap groups instead of ldap users?

jaymode · January 5, 2016, 3:30pm

Shield always will map to both groups and users but the log statement is only shown when something is mapped to a user (we can improve this to show all the time for better logging in a future release). This means that there is a mismatch between your user DN in the file and the DN retrieved from LDAP.

contactimtiaz · January 8, 2016, 2:13pm

Curious - if there is a mismatch in the user DN between what's retrieved and what's in the config, then shouldn't authentication fail too?
In the meanwhile, I'll work on the LDAP specifics. Thank you.

jaymode · January 8, 2016, 2:42pm

Authentication is succeeding because we search for the user with the attribute matching the username that has been provided and authenticate with using the matching entry's DN. The DN defined in the role_mapping.yml is not checked as part of authentication.

Topic		Replies	Views
Integration with LDAP Elasticsearch elastic-stack-security	2	1529	July 6, 2017
SOLVED:Issue in LDAP group authentication (shield): Elasticsearch elastic-stack-security	28	11283	July 6, 2017
Shield error. Authorization problem. [Even admin unable to access] Elasticsearch elastic-stack-security	14	16445	July 6, 2017
Elasticsearch with LDAP Authentication XPack Security Elasticsearch elastic-stack-security	6	1072	February 13, 2020
Failed to authenticate user with ldap realm using role mapping api Elasticsearch elastic-stack-security	5	587	November 27, 2020

LDAP - Authentication works, Authorization doesn't

Related topics