Hello. I'm trying to configure Shield to authenticate ES users via LDAP. Our company has a domain, for example: company.com. And we have groups like "IT", "Finance", "Tech". But I need authenticate users only from IT. We have the LDAP server on the address ldap.company.com:389.
The LDAP realms do no support a user specified filter for looking up users. Are you connecting to Active Directory? If you are using active directory, then there is a way that we could possibly limit the users who can authenticate.
If not, could you rely on authorization failing (ie only the IT group is mapped to a role)?
@jaymode thank you for answer. I am connecting to corporate LDAP server. I don't need to authenticate a specific user. Can you give me an example of ldap realm config? For example, how to authenticate all users that are members of IT group and .company.com domain? I have stucked here.
@gustav I know you said LDAP, but it looks like you may be connecting to an AD schema since you have SAMAccountName as the uid value in your other configuration, which is typically associated with active directory.
@jaymode I have enabled Shield's auditing. elasticsearch-access.log has the following record:
[2015-11-16 10:17:34,344] [Baron Macabre] [rest] [authentication_failed] origin_address=[/0:0:0:0:0:0:0:1:52136], principal=[email@example.com], uri=[/]
@gustav sorry for the confusion, can you enable trace for the regular elasticsearch log file and provide the exceptions you get there? Also, did you try with just someuser instead of firstname.lastname@example.org?
@jaymode hi. Yes, I have tried. I cannot set logs to TRACE mode right now. But... I have the following in the old logs from ElasticSearch:
[2015-11-12 12:55:36,473][WARN ][shield.authc.activedirectory] [She-Venom] authentication failed for user [someuser]: failed to connect to any active directory servers
cause: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldap.company.com:389: java.io.IOException: Unable to verify an attempt to to establish a secure connection to 'ldap.company.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Our LDAP is protected by SSL. Should I set hostname_verification parameter to FALSE?
Do you have the signing CA or certificates for your ldap servers imported into the truststore? Disabling hostname verification will probably not help since the exception doesn't deal with hostname verification.