LDAP - Authentication works, Authorization doesn't

contactimtiaz · January 4, 2016, 4:19pm

Hi
I am trying to validate a simple LDAP setup on ElasticSearch with the SHIELD plugin. My Kibana setup is configured to use a LDAP user which in turn is configured and mapped to a role in ElasticSearch's role_mapping.yml file and that role has a corresponding entry in the roles.yml file. I also turned on DEBUG/TRACE logging on ElasticSearch. I can see that my LDAP user is authenticated, however it fails authorization with the following messages:

==> /data/ES/logs/es.log <==
[2016-01-04 15:42:19,955][DEBUG][shield.authc.ldap        ] [dataless-node] authenticated user [ldapuser1], with roles [[]]

[2016-01-04 15:42:19,956][INFO ][rest.suppressed          ] /_nodes Params: {settings_filter=shield.hide_settings,shield.ssl.*,shield.authc.realms.ldap1.bind_dn,shield.authc.realms.ldap1.bind_password,shield.authc.realms.ldap1.hostname_verification,transport.profiles.default.shield.*}
ElasticsearchSecurityException[action [cluster:monitor/nodes/info] is unauthorized for user [ldapuser1]]
	at org.elasticsearch.shield.support.Exceptions.authorizationError(Exceptions.java:45)
	at org.elasticsearch.shield.authz.InternalAuthorizationService.denialException(InternalAuthorizationService.java:294)
	at org.elasticsearch.shield.authz.InternalAuthorizationService.denial(InternalAuthorizationService.java:268)
	at org.elasticsearch.shield.authz.InternalAuthorizationService.authorize(InternalAuthorizationService.java:129)
	at org.elasticsearch.shield.action.ShieldActionFilter.apply(ShieldActionFilter.java:105)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:99)
	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:77)
	at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
	at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
	at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
.
.
.
.

==> /data/ES/logs/shield-access.log <==
[2016-01-04 15:42:19,955] [dataless-node] [transport] [access_denied]	origin_type=[rest], origin_address=[x.x.x.x], principal=[ldapuser1], action=[cluster:monitor/nodes/info], request=[NodesInfoRequest]

It seems like my roles or role_mapping entries are not being considered.

My LDAP config in elasticsearch.yml:

shield:
  authc:
    realms:
      ldap1:
        type: ldap
        order: 0
        url: "ldap://xxxx.xxxx.xxxx.xxxx:yyyy"
        bind_dn: "uid=xxxx,ou=xxxx xxxx,o=xxxx.xxxx"
        bind_password: xxxx
        user_search:
          base_dn: "o=xxxx.xxxx"
          attribute: xxxx
        group_search:
          base_dn: "o=xxxx.xxxx"
        files:
          role_mapping: "/etc/elasticsearch/shield/role_mapping.yml"
        unmapped_groups_as_roles: false

My configured role in roles.yml:

# LDAP user role
 ldap_users:
   cluster: all
   indices:
     '*':
       privileges: all

My configured mapping in role_mapping:

ldap_users:
    - "cn=ldapuser1,ou=xxxx xxxx,o=xxxx.xxxx"

Appreciate any insight.

Thanks

CraigFoote · January 4, 2016, 7:31pm

This sounds very similar to the issue I'm currently discussing at Action indices:data/read/mget is unauthorized but privilege listed.

jaymode · January 5, 2016, 11:34am

In your debug logs do you see a line like the following:

the roles [], are mapped from the user [<your user's dn>] for realm []

If so, does the DN match what you have in the role mapping file?

contactimtiaz · January 5, 2016, 3:13pm

As a matter of fact, I do:

[2016-01-04 19:37:34,852][DEBUG][shield.authc.support ] [dataless-node] the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1]

It seems to be looking for ldap groups instead of ldap users?

jaymode · January 5, 2016, 3:30pm

Shield always will map to both groups and users but the log statement is only shown when something is mapped to a user (we can improve this to show all the time for better logging in a future release). This means that there is a mismatch between your user DN in the file and the DN retrieved from LDAP.

contactimtiaz · January 8, 2016, 2:13pm

Curious - if there is a mismatch in the user DN between what's retrieved and what's in the config, then shouldn't authentication fail too?
In the meanwhile, I'll work on the LDAP specifics. Thank you.

jaymode · January 8, 2016, 2:42pm

Authentication is succeeding because we search for the user with the attribute matching the username that has been provided and authenticate with using the matching entry's DN. The DN defined in the role_mapping.yml is not checked as part of authentication.

Topic		Replies	Views
Shield 2.3, Elasticsearch 2.3: 'ldap' realm works, but 'file' realm does not Elasticsearch elastic-stack-security	3	1060	December 14, 2016
[SHIELD] Kibana to Elasticsearch Elasticsearch elastic-stack-security	9	1634	December 30, 2016
Shield/ldap integration Elasticsearch elastic-stack-security	2	1084	December 26, 2016
Ldap authorization in kibana via x-pack Kibana	10	2756	June 26, 2017
Issue Authenticating with Active Directory Elasticsearch elastic-stack-security	5	2394	July 6, 2017

LDAP - Authentication works, Authorization doesn't

Related topics