Shield and LDAP configuration

gustav · November 8, 2015, 5:03pm

Hello. I'm trying to configure Shield to authenticate ES users via LDAP. Our company has a domain, for example: company.com. And we have groups like "IT", "Finance", "Tech". But I need authenticate users only from IT. We have the LDAP server on the address ldap.company.com:389.

Trying something like this:

shield.authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldaps://ldap.company.com:389"
bind_dn: "cn=reader,ou=company,dc=company,dc=com"
group_search:
base_dn: "dc=company,dc=com"
filter: "(memberOf=cn=IT,ou=company,dc=company,dc=com)'"
files:
role_mapping: "/elasticsearch/config/shield/role_mapping.yml"
unmapped_groups_as_roles: false

But it is not working. Shield version: 1.3.2

warkolm · November 8, 2015, 11:08pm

Can you elaborate more here, what is not working?
Have you turned on lower logging levels?

gustav · November 9, 2015, 1:57am

@warkolm I have this config from our another project:

host: 'ldap.company.com'
base: 'dc=company,dc=com'
port: 389
uid: 'SAMAccountName'
bind_dn: 'cn=reader,ou=company,dc=company,dc=com'
user_filter: '(memberOf=cn=IT,ou=company,dc=company,dc=com)'

I'm failing at "filter" step. How to add uid to shield config?

jaymode · November 10, 2015, 4:26pm

Hi @gustav,

The LDAP realms do no support a user specified filter for looking up users. Are you connecting to Active Directory? If you are using active directory, then there is a way that we could possibly limit the users who can authenticate.

If not, could you rely on authorization failing (ie only the IT group is mapped to a role)?

-Jay

gustav · November 11, 2015, 8:12am

@jaymode thank you for answer. I am connecting to corporate LDAP server. I don't need to authenticate a specific user. Can you give me an example of ldap realm config? For example, how to authenticate all users that are members of IT group and .company.com domain? I have stucked here.

jaymode · November 11, 2015, 11:07am

@gustav I know you said LDAP, but it looks like you may be connecting to an AD schema since you have SAMAccountName as the uid value in your other configuration, which is typically associated with active directory.

Can you try the following configuration:

shield.authc.realms:
  ad1:
    type: active_directory
    order: 0
    url: "ldaps://ldap.company.com:389"
    domain_name: company.com
    user_search:
      filter: (&(objectClass=user)(sAMAccountName={0})(memberOf=cn=IT,ou=company,dc=company,dc=com))

If the above configuration does not work, then currently we cannot support limiting the users allowed to authenticate via a filter, but we can work on adding an enhancement for this.

gustav · November 11, 2015, 12:15pm

@jaymode thank you. I will test it as soon as possible.

gustav · November 13, 2015, 12:08pm

@jaymode hi. This config is not working for me. Or I am doing something wrong.
My role_mapping.yml:

admin:

"cn=IT,dc=company,dc=com"

user:

"cn=IT,dc=company,dc=com"

I need to authenticate all users from IT group. From domain: company.com
When I am quering to Elasticsearch via curl:

curl -XGET someuser@company.com:somepassword@localhost:9200/

it tells me:

{"error":"AuthenticationException[unable to authenticate user [someuser] for REST request [/]]","status":401}

jaymode · November 13, 2015, 12:41pm

Have you tried with just someuser instead of someuser@company.com? Also, can you try turning the logging up to trace and see what kind of errors are happening when you try to authenticate?

gustav · November 16, 2015, 4:22am

@jaymode I have enabled Shield's auditing. elasticsearch-access.log has the following record:
[2015-11-16 10:17:34,344] [Baron Macabre] [rest] [authentication_failed] origin_address=[/0:0:0:0:0:0:0:1:52136], principal=[someuser@company.com], uri=[/]

jaymode · November 16, 2015, 2:08pm

@gustav sorry for the confusion, can you enable trace for the regular elasticsearch log file and provide the exceptions you get there? Also, did you try with just someuser instead of someuser@company.com?

gustav · November 17, 2015, 12:36pm

@jaymode hi. Yes, I have tried. I cannot set logs to TRACE mode right now. But... I have the following in the old logs from Elasticsearch:

[2015-11-12 12:55:36,473][WARN ][shield.authc.activedirectory] [She-Venom] authentication failed for user [someuser]: failed to connect to any active directory servers
cause: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldap.company.com:389: java.io.IOException: Unable to verify an attempt to to establish a secure connection to 'ldap.company.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Our LDAP is protected by SSL. Should I set hostname_verification parameter to FALSE?

jaymode · November 17, 2015, 1:14pm

Do you have the signing CA or certificates for your ldap servers imported into the truststore? Disabling hostname verification will probably not help since the exception doesn't deal with hostname verification.

gustav · November 19, 2015, 5:27am

@jaymode. I have enabled TRACE for logs.
Log is here: http://pastebin.com/ENzhYTau

I am using following configuration:

shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: ldap.company.com
url: "ldap://ldap.company.com:389"
user_search:
filter: (&(objectClass=user)(sAMAccountName={0})(memberOf=cn=IT,ou=company,dc=company,dc=com))
group_search:
base_dn: "dc=company,dc=com"
files:
role_mapping: "/elasticsearch/config/shield/role_mapping.yml"
unmapped_groups_as_roles: false