New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ldap login not working with graylog-2.0.0-3.beta.2 #2069

Closed
dumpwhanau opened this Issue Apr 13, 2016 · 10 comments

Comments

Projects
None yet
5 participants
@dumpwhanau

dumpwhanau commented Apr 13, 2016

Problem description

I've been successfully using graylog-1.3.4 with LDAP, but when I tried to set it up with this new v2 system, it doesn't work (BTW the standalone accounts work)

Steps to reproduce the problem

  1. We use AD and have a forest with the LDAP groups in the parent and the user accounts in children domains. By using the AD Global Catalog server ports, you can make this work (ie log in with a child account that is a member of a parent group)
  2. I configured the LDAP admin page the same way as the 1.3.4 system I think. I also chose the cleartext LDAP port 3268 so I could run tcpdump for diagnostics
  3. doing a login (and viewing in wireshark) shows the following
  4. bind with "system username" succeeds. This does a search for my LDAP username I was trying to login with - and that search returns my LDAP DN plus some attributes such as the groups I am a member of - and I can see the graylog groups the "group search pattern" would match on show up as expected
  5. graylog then appears to iterate through all those groups, returning their cn - which it already knows. I have no idea what value this is doing, as it doesn't return new data
  6. bind with my DN and password. That succeeds. Final packets show graylog initiating the TCP FIN, cleanup occurs. I see no evidence of any query for the group filter... The entire LDAP transaction is over with in <1sec
  7. login form shows "Invalid credentials, please verify them and retry" and the graylog logfile shows the below events

So according to tcpdump, there is no failed login event , but there is also no attempt to run the LDAP group filter (ours is "(&(objectClass=group)(cn=cis-graylog*))"). And logon fails

2016-04-13T03:06:09.774Z WARN [SessionsResource] Unable to log in user jhaar@ad.dom.main
org.apache.shiro.authc.AuthenticationException: No account information found for authentication token [org.apache.shiro.authc.UsernamePasswordToken - jhaar@ad.dom.main, rememberMe=false] by this Authenticator instance. Please check that it is configured correctly.
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:202) ~[graylog.jar:?]
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) ~[graylog.jar:?]
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) ~[graylog.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) ~[graylog.jar:?]
at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:94) [graylog.jar:?]
at sun.reflect.GeneratedMethodAccessor401.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_77]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:1.8.0_77]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:1.8.0_77]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_77]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_77]

Environment

  • Graylog Version: graylog-server-2.0.0-3.beta.2.noarch
  • Elasticsearch Version: elasticsearch-2.3.1-1.noarch
  • MongoDB Version: 2.6.11-1.el7
  • Operating System: CentOS-7/64bit
  • Java: jre1.8.0_77-1.8.0_77-fcs.x86_64
  • Browser version: Firefox/Chrome/everything
@alexdepalex

This comment has been minimized.

alexdepalex commented Apr 13, 2016

Possibly related to this issue, which just got fixed yesterday? #2045

@kroepke

This comment has been minimized.

Member

kroepke commented Apr 13, 2016

Yes, that is very likely related to that issue.

@dumpwhanau I'll close this one, if the problem persists in beta.3 please reopen it. beta.3 will also log the exception that caused the login to fail, something previous versions neglected to do.

@kroepke kroepke closed this Apr 13, 2016

@kroepke

This comment has been minimized.

Member

kroepke commented Apr 13, 2016

FWIW you can also try the most recent snapshot at http://packages.graylog2.org/_/snapshots?q=2.0.0-beta.3 to check if it's gone.

@alexdepalex

This comment has been minimized.

alexdepalex commented Apr 13, 2016

@kroepke Tried the latest snapshot and it fixed the issue for me.

@kroepke

This comment has been minimized.

Member

kroepke commented Apr 13, 2016

Great! Thanks for the feedback!

@dumpwhanau

This comment has been minimized.

dumpwhanau commented Apr 13, 2016

Yep - fixed it.

Thanks!

@dumpwhanau

This comment has been minimized.

dumpwhanau commented Apr 13, 2016

Whoops! Massive security hole!

I can now login with ANY PASSWORD. The logs show the following error, but I end up logged in. I just tried it from a browser I've never used with graylog before (no chance of cookies) and with a password of "xxx" I am logged in. So that beta3 version has a problem

2016-04-13T10:44:13.891Z ERROR [LdapUserAuthenticator] Error during LDAP user account sync. Cannot log in user jhaar@ap.trimblecorp.net
java.lang.RuntimeException: MessageType : BIND_RESPONSE
Message ID : 66
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1'

@alexdepalex

This comment has been minimized.

alexdepalex commented Apr 13, 2016

I can confirm this 😄

@bernd

This comment has been minimized.

Member

bernd commented Apr 13, 2016

Thank you, we will investigate ASAP!

@bernd bernd reopened this Apr 13, 2016

@bernd bernd added bug S1 P1 labels Apr 13, 2016

@bernd bernd added this to the 2.0.0 milestone Apr 13, 2016

@joschi joschi added the security label Apr 13, 2016

bernd added a commit that referenced this issue Apr 13, 2016

Ensure login failure by default
Always return `null` by default in LdapUserAuthenticator#doGetAuthenticationInfo()
to make it harder to accidentally login the user even if the password is
wrong or some other error occurs.

Fixes a security issue where all passwords have been accepted when
using LDAP. This issue has been introduced in commit 9b746fa one day ago
and has never been released outside of snapshots.

Fixes #2069

bernd added a commit that referenced this issue Apr 13, 2016

Ensure login failure by default
Always return `null` by default in LdapUserAuthenticator#doGetAuthenticationInfo()
to make it harder to accidentally login the user even if the password is
wrong or some other error occurs.

Fixes a security issue where all passwords have been accepted when
using LDAP. This issue has been introduced in commit 9b746fa one day ago
and has never been released outside of snapshots.

Fixes #2069

@joschi joschi closed this in #2072 Apr 13, 2016

joschi added a commit that referenced this issue Apr 13, 2016

Ensure login failure by default (#2072)
Always return `null` by default in LdapUserAuthenticator#doGetAuthenticationInfo()
to make it harder to accidentally login the user even if the password is
wrong or some other error occurs.

Fixes a security issue where all passwords have been accepted when
using LDAP. This issue has been introduced in commit 9b746fa one day ago
and has never been released outside of snapshots.

Fixes #2069
@bernd

This comment has been minimized.

Member

bernd commented Apr 13, 2016

@dumpwhanau @alexdepalex Thanks again for the report!

This will be fixed in the upcoming 2.0.0-beta.3.

@kroepke kroepke added the triaged label Sep 21, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment