X-Pack & LDAP user group role mapping

Darius · March 8, 2018, 1:24pm

Hello,
I'm running elastic 6.2.2 /w x-pack and integrating it with LDAP.
The problem I am having is that I'm able to define users by specifying each user individually, but not an LDAP group.

Let me try to clarify:

Config in elasticearch.yml

#ldap authentication
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 1
url: "ldap://ldap.company.com:389"
bind_dn: "cn=admin,dc=company,dc=com"
bind_password: password123
user_search:
base_dn: "dc=company,dc=com"
attribute: uid
group_search:
base_dn: "dc=company,dc=com"
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false
native1:
type: native
order: 0

This is a portion of my elasticsearch/x-pack/role_mapping.yml:

superuser:

"uid=username,ou=People,dc=company,dc=com"

"uid=username2,ou=People,dc=company,dc=com"

"uid=username3,ou=People,dc=company,dc=com"

"uid=username4,ou=People,dc=company,dc=com"

^ this works fine, however I'd like to be able to define an LDAP group instead of each user separately as in the example below:

#power_user:

- "cn=admins,dc=example,dc=com"

#user:

- "cn=users,dc=example,dc=com"

- "cn=admins,dc=example,dc=com"

- "cn=John Doe,cn=other users,dc=example,dc=com"

However, if I add the below, it does not work:

superuser:

"ou=People,dc=company,dc=com"

In case some more user parameters are required, here is an exmaple of ldapsearch for a specific uid:

dn: uid=username,ou=People,dc=company,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: ldapPublicKey
uid: username
sn: Surname
givenName: Name
cn: Name Surname
mail: name@company.com
displayName: Name Surname
uidNumber: 7003
gidNumber: 4000
gecos: Name Surname
departmentNumber: DEPARTMENT
loginShell: /bin/bash
homeDirectory: /home/username
shadowLastChange: 17521
shadowMax: 180
shadowWarning: 14
userPassword:: Sfjsoifj3r3r39DSAdas5235

I looked for an answer in your forums, but was unable to find anything to solve this particular problem..

ikakavas · March 8, 2018, 1:45pm

Hi Darius,

the "ou=People,dc=company,dc=com" is not an ldap group. It is an Organizational Unit and from the looks of it, the parent tree of your users in ldap.
You would need to define the groups in your ldap server first and then configure Elasticsearch to map the users to Roles in Elasticsearch based on their group membership in ldap.

Darius · March 8, 2018, 2:31pm

Thank you for your response!
Yes People seems to be an organizational unit, but my users are in groups defined by gid and also the departmentNumber.
E.g. if I do a search

ldapsearch -x -H ldap://localhost -b dc=company,dc=com -s sub "(gidNumber=4000)"
or
ldapsearch -x -H ldap://localhost -b dc=company,dc=com -s sub "(departmentNumber=DEPARTMENT)"

It will list the people that are in this group/department, can I somehow implement this indo the xpack authentication?

Darius · March 8, 2018, 4:00pm

There's a group:

cn=posixgroupname,ou=Company,ou=Groups,dc=company,dc=com

Which has several users in it, but if I add the following into role_mapping it still does not work

superuser:

"cn=posixgroupname,ou=Company,ou=Groups,dc=company,dc=com"

ikakavas · March 8, 2018, 4:06pm

I'll try and clear some things out so bear with me

Your user has the posixAccount objectClass
gidNumber in the posixAccount objectClass defines the primary group of the user.
Having the same value in the departmentNumber attribute, is not exactly the same as belonging in the same ldap group

That said, since your
ldapsearch -x -H ldap://localhost -b dc=company,dc=com -s sub "(gidNumber=4000)"
returns many results, this probably means that there is a group defined in your ldap server with the posixGroup objectClass that has a gidNumber value of 4000. You can get this posixGroup entry with
ldapsearch -x -H ldap://localhost -b dc=company,dc=com -s sub "(|(objectClass=posixGroup)(gidNumber=4000))"
and you can take the DN of the returned entry and use it directly in role_mapping.yml

ikakavas · March 8, 2018, 4:10pm

Just saw the latest update. Can you verify that the cn=posixgroupname,ou=Company,ou=Groups,dc=company,dc=com has the posixGroup objectClass and that it contains the multi-valued memberUid attribute with the uids of your users , i.e. username ?

Also, you can set

logger.authc.name = org.elasticsearch.xpack.security.authc
logger.authc.level = DEBUG

in log4j2.properties under $ES_HOME/config and authenticate with an ldap user so that we can see what happens during the role mapping process.

Darius · March 8, 2018, 8:29pm

Thanks again for your help, the whole thing is making more sense now.

Yes, I can confirm that ldapsearch -x -H ldap://localhost -b dc=company,dc=com -s sub "(&(objectClass=posixGroup)(gidNumber=4000))" comes back with cn=posixgroupname,ou=Company,ou=Groups,dc=company,dc=com and the cn=posixgroupname... contains multiple memberUid's with uids of my users including username used in my examples.

The issue I'm seeing right now is that the role_mapping doesn't seem to be recognized. I've updated my role_mapping.yml with the posixGroup and its now as follows (I've double checked all spacing/capitalisation):

superuser:

"cn=posixgroupname,ou=Company,ou=Groups,dc=company,dc=com"

Error showing that I'm able to authenticate with my username, but there are no roles assigned for my user:

[2018-03-08T19:46:10,024][DEBUG][o.e.x.s.a.e.ReservedRealm] [elasticsearch2] user not found in cache, proceeding with normal authentication
[2018-03-08T19:46:10,024][DEBUG][o.e.x.s.a.e.NativeRealm ] [elasticsearch2] user not found in cache, proceeding with normal authentication
[2018-03-08T19:46:10,024][DEBUG][o.e.x.s.a.l.LdapRealm ] [elasticsearch2] user not found in cache, proceeding with normal authentication
[2018-03-08T19:46:10,028][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [elasticsearch2] the roles [], are mapped from these [ldap] groups [] for realm [ldap/ldap1]
[2018-03-08T19:46:10,028][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [elasticsearch2] the roles [], are mapped from the user [uid=username,ou=People,dc=company,dc=com] for realm [ldap/ldap1]
[2018-03-08T19:46:10,029][DEBUG][o.e.x.s.a.l.LdapRealm ] [elasticsearch2] authenticated user [username], with roles []

If I'm reading this correctly the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1] indicates that the superuser role assignment in role_mapping.yml wasn't recognized.

However, when restarting the cluster it seems to register 1 role mapping

[2018-03-08T20:42:33,427][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [elasticsearch2] [1] role mappings found in file [/etc/elasticsearch/x-pack/role_mapping.yml] for realm [ldap/ldap1]

ikakavas · March 8, 2018, 8:57pm

The role mapping is read correctly, the problem lies elsewhere. The message

[2018-03-08T19:46:10,028][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [elasticsearch2] the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1]

indicates that we couldn't get the group memberships from LDAP ( see empty array in from these [ldap] groups [[]])

My bad, I read your config above and didn't see that the user_attribute is under the user_search and not the group_search. You need to set the group_search.user_attribute to uid because if it is not set, its default value is the DN of the user entry. That means that Elasticsearch searches for groups that the user belongs to using an LDAP filter that contains
(memberUid=uid=username,ou=People,dc=company,dc=com)
instead of
(memberUid=username)
as it should.

I'm pretty confident that this will resolve your issue, but if it doesn't please set

logger.ldap.name = org.elasticsearch.xpack.security.authc.ldap
logger.ldap.level = TRACE

so that we can see the ldap queries made and get to the bottom of this.

Darius · March 8, 2018, 9:14pm

Nice, that worked, updated my elasticsearch.yml to

<...>
group_search:
base_dn: "dc=company,dc=com"
user_attribute: uid
<..>

Thanks alot @ikakavas!

Christopher_Bogs_Oli · March 29, 2018, 8:15am

Can i get a sample of your role_mapping.yml

ikakavas · March 29, 2018, 8:23am

Please open a different thread for your question. It will help to share what you're trying to achieve, what have you done already and what exactly doesn't work so that we will be able to assist you.

Even if you want something more generic, such as an example of a role_mapping.yml file, you have more chances getting a meaningful answer when we have a little more context with regards to your environment and your use case.

Darius · March 29, 2018, 9:54am

@Christopher_Bogs_Oli basically it's what I pasted up above at some point:

superuser:
  - "cn=posixgroupname,ou=Company,ou=Groups,dc=company,dc=com"
  - "cn=posixgroupname2,ou=Company,ou=Groups,dc=company,dc=com"

custom-group:
  - "cn=posixgroupname3,ou=Company,ou=Groups,dc=company,dc=com"
  - "cn=posixgroupname4,ou=Company,ou=Groups,dc=company,dc=com"

The part that solved it for me was the fact that I was missing was the user_attribute under group_search in elasticsearch.yml

system · April 26, 2018, 9:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.