Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for AD nested groups #1436

Closed
andham opened this issue Sep 21, 2015 · 28 comments
Closed

Support for AD nested groups #1436

andham opened this issue Sep 21, 2015 · 28 comments
Labels
feature ldap triaged

Comments

@andham
Copy link

andham commented Sep 21, 2015

It would be great if Graylog could support so-called nested groups in AD.
The easiest way to do this would be to have the group member attribute configurable. You can then use a special object ID as described in https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx.

Some information on how this is handled in some other tool (Nexus): https://support.sonatype.com/entries/31005457-How-to-Configure-Nexus-to-use-Active-Directory-Nested-Groups
@andham andham mentioned this issue Sep 21, 2015
Closed
@alpar-t
Copy link

alpar-t commented Sep 28, 2015

Also looking for this. With the current implementation src/main/java/org/graylog2/security/ldap/LdapConnector.java needs to do a query for each group to see if those are a member of some other group (member:1.2.840.113556.1.4.1941:=CN=)

@matthgyver
Copy link

"member:1.2.840.113556.1.4.1941:=CN=" is good for authentication but it would be great if group mapping support nested groups

@edmundoa edmundoa mentioned this issue Feb 23, 2016
Closed
@nixcorn
Copy link

nixcorn commented Mar 30, 2016

👍
For us it's a show stopper, we rely on nested groups from Active Directory because if a new one joins the company, it's easy to add him to a few groups and there are the direct permission groups for all the applications. Would be awesome if it's possible to add this to Graylog 2.0 :)

@arnefm
Copy link

arnefm commented Sep 14, 2016
edited

Yup, this is a big issue for our setup too. We separate our group into access groups which have one-to-one relationships with specific permissions and services and role groups, which contain users and are members of different access groups.

In fact I'm surprised this issue hasn't gotten more attention! It's been open for a year.

@jhaar
Copy link

jhaar commented Nov 28, 2016

Ditto. We've just started getting complaints of people not having the correct access and ended up tracking it back to a nested groups issue

@simonpie
Copy link

simonpie commented May 1, 2017

We are also in dire need for this functionality.

@CoolDuke
Copy link

+1 for this feature since we have to use our organizational groups instead of the permission groups defined in Active Directory, so we have change the permissions twice if anything is to be changed.

@Dainii
Copy link

Dainii commented Nov 8, 2017

Hi, is there any news about this feature ?

@Wicht78
Copy link

Wicht78 commented Dec 15, 2017

We would really need this.
Hope it is comming soon :)

@jalogisch jalogisch mentioned this issue Feb 25, 2018
Open
@shakalandy
Copy link

@jalogisch is it possible to "donate" this feature? Via BountySource or similar?

@joschi
Copy link
Contributor

joschi commented Mar 13, 2018

@shakalandy Please contact our sales team at https://graylog.org/contact-sales or via sales@graylog.com for finding out how this aligns with our general business strategy.

@samoz83
Copy link

samoz83 commented Jun 28, 2018

Any news on this feature? I assume it's not being considered for the v3 release?

@ivazqueza
Copy link

I'm also very interested on this. It would be a very useful feature.

@lukaszpatyra
Copy link

+1

This was referenced Oct 15, 2018
Closed
Closed
@matthiasdoering
Copy link

+1

1 similar comment
@nhanct
Copy link

nhanct commented Nov 6, 2018

+1

@exussum12
Copy link

exussum12 commented Nov 19, 2018
edited

Not sure if this helps but the query needed here is (member:1.2.840.113556.1.4.1941:={distinguishedname})

Where {distinguishedname} is the dn of the user being looked up.

It looks like

graylog2-server/graylog2-server/src/main/java/org/graylog2/security/ldap/LdapConnector.java

Line 200 in 20ab732

ldapEntry.addGroups(findGroups(connection,
is a good place to start. I'm not 100% sure how to get the stack working currently to test this fix though

@OmniTroid
Copy link

This has been open for three years.. are you planning to implement this at all? I'd love to see this feature as well.

@pirona
Copy link

pirona commented Apr 1, 2019

Is this related to the fact that I cannot map any groups from this cn=groups,dc=subdomain,dc=domain,dc=tld ? (nothing show up in LDAP group mapping)

@jalogisch
Copy link
Contributor

@pirona likely not - or did you have groups in groups in that?

@pirona
Copy link

pirona commented Apr 1, 2019
edited

@pirona likely not - or did you have groups in groups in that?

No, no sublevels in this folder. Sorry for the topic mismatch then.

@mungo312
Copy link

Hi,
any updates on this ? It is a common usage pattern in the Active Directory context to use nested groups.

@xtruthx
Copy link

xtruthx commented Feb 5, 2020

It seems that this issue is not longer exist? Actually we tested it with nested groups from a Active Directory and it seems to work fine without any occurrence of error messages in the log. Also the relation for the groups have been set accordingly.

Workaround/Solution

Use a major group where the other groups are nested in your Active Directory. Then use a "User Search Pattern" with memberOf-Function.

Steps to Reproduce

  1. Create major group
  2. Set group inheritage for the inherit groups
  3. Use following User Query for Example:
    (&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberof:1.2.840.113556.1.4.1941:=cn=major_group,cn=Users,ou=Group-Unit,ou=nextunit,ou=anotherunit,dc=ex,dc=sample,dc=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Tested Environment

  • Graylog Version: 3.1.4+1149fe1, codename Quantum Dog

  • Elasticsearch Version: 6.8.6

  • MongoDB Version: v4.3.0-707-g284630e-patch-5d3f10cc850e612543561a3a

  • Operating System:
    NAME="Red Hat Enterprise Linux"
    VERSION="8.1 (Ootpa)"
    ID="rhel"
    ID_LIKE="fedora"
    VERSION_ID="8.1"
    PLATFORM_ID="platform:el8"
    PRETTY_NAME="Red Hat Enterprise Linux 8.1 (Ootpa)"

  • Browser version: Firefox Quantum 68.4.1esr (64-Bit)

@bernd @jalogisch could this be the solution or workaround for that issue? Can you may please add some explanation from the code perspective to this?

A possible Attribute Option in the product would be still good and could still be a valid feature request. At least it would make things easier for some people.

@rsirny
Copy link

rsirny commented Mar 19, 2020

@xtruthx I've tried what you suggest with following setup on Graylog 3.2.2, but it does not seem to work. Do you see anything I could have missed?

My AD structure:
Graylog_Major_Group (DN used in the user query)

  • Graylog_Admin
    • Graylog_AdminNested

For user in Graylog_Admin group, the login works as expected. Logging in with user from Graylog_AdminNested fails with error:

2020-03-19 12:39:25,113 ERROR: org.graylog2.security.realm.LdapUserAuthenticator - Error during LDAP user account sync. Cannot log in user testuser,
java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure on underlying Cursor.,
	at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:89) ~[graylog.jar:?],
	at org.graylog2.security.ldap.LdapConnector.search(LdapConnector.java:142) ~[graylog.jar:?],
	at org.graylog2.security.realm.LdapUserAuthenticator.searchLdapUser(LdapUserAuthenticator.java:160) ~[graylog.jar:?],
	at org.graylog2.security.realm.LdapUserAuthenticator.doGetAuthenticationInfo(LdapUserAuthenticator.java:110) [graylog.jar:?],
	at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) [graylog.jar:?],
	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219) [graylog.jar:?],
	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269) [graylog.jar:?],
	at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) [graylog.jar:?],
	at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) [graylog.jar:?],
	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:274) [graylog.jar:?],
	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) [graylog.jar:?],
	at org.graylog2.shared.security.SessionCreator.create(SessionCreator.java:77) [graylog.jar:?],
	at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:129) [graylog.jar:?],
	at sun.reflect.GeneratedMethodAccessor1060.invoke(Unknown Source) ~[?:?],
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_242],
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_242],
	at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [graylog.jar:?],
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [graylog.jar:?],
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [graylog.jar:?],
	at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) [graylog.jar:?],
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [graylog.jar:?],
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [graylog.jar:?],
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [graylog.jar:?],
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [graylog.jar:?],
	at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?],
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?],
	at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?],
	at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?],
	at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?],
	at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?],
	at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?],
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242],
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242],
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242],
Caused by: org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException,
	at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:174) ~[graylog.jar:?],
	at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:52) ~[graylog.jar:?],
	at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:82) ~[graylog.jar:?],�
	... 38 more,

@xtruthx
Copy link

xtruthx commented Apr 21, 2020

@xtruthx I've tried what you suggest with following setup on Graylog 3.2.2, but it does not seem to work. Do you see anything I could have missed?

My AD structure:
Graylog_Major_Group (DN used in the user query)

* Graylog_Admin
  
  * Graylog_AdminNested

For user in Graylog_Admin group, the login works as expected. Logging in with user from Graylog_AdminNested fails with error:

2020-03-19 12:39:25,113 ERROR: org.graylog2.security.realm.LdapUserAuthenticator - Error during LDAP user account sync. Cannot log in user testuser,
java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure on underlying Cursor.,
	at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:89) ~[graylog.jar:?],
	at org.graylog2.security.ldap.LdapConnector.search(LdapConnector.java:142) ~[graylog.jar:?],
	at org.graylog2.security.realm.LdapUserAuthenticator.searchLdapUser(LdapUserAuthenticator.java:160) ~[graylog.jar:?],
	at org.graylog2.security.realm.LdapUserAuthenticator.doGetAuthenticationInfo(LdapUserAuthenticator.java:110) [graylog.jar:?],
	at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) [graylog.jar:?],
	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219) [graylog.jar:?],
	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269) [graylog.jar:?],
	at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) [graylog.jar:?],
	at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) [graylog.jar:?],
	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:274) [graylog.jar:?],
	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) [graylog.jar:?],
	at org.graylog2.shared.security.SessionCreator.create(SessionCreator.java:77) [graylog.jar:?],
	at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:129) [graylog.jar:?],
	at sun.reflect.GeneratedMethodAccessor1060.invoke(Unknown Source) ~[?:?],
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_242],
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_242],
	at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [graylog.jar:?],
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [graylog.jar:?],
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [graylog.jar:?],
	at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) [graylog.jar:?],
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [graylog.jar:?],
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [graylog.jar:?],
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [graylog.jar:?],
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [graylog.jar:?],
	at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?],
	at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?],
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?],
	at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?],
	at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?],
	at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?],
	at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?],
	at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?],
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242],
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242],
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242],
Caused by: org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException,
	at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:174) ~[graylog.jar:?],
	at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:52) ~[graylog.jar:?],
	at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:82) ~[graylog.jar:?],�
	... 38 more,

Without your settings in Graylog in special without your search queries i can not give you a valid answer.

@mungo312
Copy link

For us the actual problem is not to limit the users to the members of one group. We need to use the group mapping feature to map members of nested groups to roles in graylog. The before mentioned LDAP filter is no help at all for our usage scenario.
The Issue is open since 2015 and there was no real effort invested from the Graylog Team, as far as I can see. Is this a supported feature in enterprise edition ? Can we speed up the process by getting enterprise and then open an issue ?

@ppodevlabs
Copy link

ppodevlabs commented Oct 7, 2020
edited

For us the actual problem is not to limit the users to the members of one group. We need to use the group mapping feature to map members of nested groups to roles in graylog. The before mentioned LDAP filter is no help at all for our usage scenario.
The Issue is open since 2015 and there was no real effort invested from the Graylog Team, as far as I can see. Is this a supported feature in enterprise edition ? Can we speed up the process by getting enterprise and then open an issue ?

I managed to make it work actually.

i've created the following structure:

  • graylog-base
    • level1-group
      -level2-group

With this setup and using filters:

Users:
(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberof:1.2.840.113556.1.4.1941:=cn=graylog-base,ou=your_ou,dc=your_dc,DC=blabla)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Groups:
(&(objectClass=group)(memberof:1.2.840.113556.1.4.1941:=cn=graylog-base,ou=your_ou,dc=your_dc,DC=blabla)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Results:
User in level1-group can login
user in level2-group can login
Both groups are mapped into graylog

Hope that helps!

@bernd
Copy link
Member

bernd commented Dec 1, 2020

Nested group support is now part of Graylog Enterprise 4.0.

See the following links for more details:

@bernd bernd closed this as completed Dec 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature ldap triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests