New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP search #234

Open
immort4tor opened this Issue May 30, 2017 · 10 comments

Comments

Projects
None yet
4 participants
@immort4tor
Copy link

immort4tor commented May 30, 2017

How realistic is it to implement a recursive search for groups in LDAP? I would like to create a group for the kibana which includes another group, etc.

@sscarduzio

This comment has been minimized.

Copy link
Owner

sscarduzio commented Jun 15, 2017

is this something other tools support? Do you have exaples?

@immort4tor

This comment has been minimized.

Copy link
Author

immort4tor commented Jun 15, 2017

Hm, for example in powershell:
Get-ADGroupMember 'ACL-smth' -recursive
or pure ldap query:
(&(objectCategory=person)(objectClass=User)(memberOf:1.2.840.113556.1.4.1941:=CN=ACL-smth,OU=ACL-Groups,OU=Groups,DC=dc1))

@sscarduzio

This comment has been minimized.

Copy link
Owner

sscarduzio commented Jun 15, 2017

I'm seriously evaluating the idea of letting users write their own raw search query.

@immort4tor

This comment has been minimized.

Copy link
Author

immort4tor commented Jun 15, 2017

It'll be great!
Can I ask you about some problems here?
I put the last build for 5.3.1 and I had the following problems:

  1. A lot of spam in cluster_name.log
[2017-06-15T22:13:56,053][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:56,090][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:56,409][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:56,448][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:56,716][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:56,758][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:57,030][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:57,074][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:57,402][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:57,437][INFO ][o.e.p.r.e.r.RequestContextImpl] found 50 subrequests
[2017-06-15T22:13:57,547][INFO ][o.e.p.r.e.r.RequestContextImpl] found 3 subrequests

and

[2017-06-15T21:55:39,817][INFO ][o.e.p.r.e.r.RequestContextImpl] found 1 subrequests
[2017-06-15T21:55:39,818][INFO ][o.e.p.r.e.r.SubRequestContext] id: 363849681-709332811-sub--794783624 - Not replacing in sub-request. Indices are the same. Ol
d:[exchange-msg-trk-2017.06.15] New:[exchange-msg-trk-2017.06.15]
[2017-06-15T21:55:41,343][INFO ][o.e.p.r.e.r.RequestContextImpl] found 1 subrequests
[2017-06-15T21:55:41,344][INFO ][o.e.p.r.e.r.SubRequestContext] id: 229513111-1945954505-sub--587609691 - Not replacing in sub-request. Indices are the same. O
ld:[exchange-msg-trk-2017.06.14] New:[exchange-msg-trk-2017.06.14]
[2017-06-15T21:55:41,503][INFO ][o.e.p.r.e.r.RequestContextImpl] found 1 subrequests
[2017-06-15T21:55:41,503][INFO ][o.e.p.r.e.r.SubRequestContext] id: 1666120514-1167812133-sub-1964547270 - Not replacing in sub-request. Indices are the same.
Old:[exchange-msg-trk-2017.06.13] New:[exchange-msg-trk-2017.06.13]
[2017-06-15T21:55:41,636][INFO ][o.e.p.r.e.r.RequestContextImpl] found 1 subrequests
[2017-06-15T21:55:41,636][INFO ][o.e.p.r.e.r.SubRequestContext] id: 2045851404-253073814-sub-221736935 - Not replacing in sub-request. Indices are the same. Ol
d:[exchange-msg-trk-2017.06.12] New:[exchange-msg-trk-2017.06.12]

How can i exclude it?
UPDATE: Fixed it with:

logger.requestcontext.name = org.elasticsearch.plugin.readonlyrest.es.requestcontext
logger.requestcontext.level = error
  1. LDAP Auth and authz works, but got an error when winlogbeat works. Why?
[2017-06-15T21:41:37,353][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,386][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,401][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,409][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,419][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,427][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,436][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,468][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,488][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,498][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,506][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,515][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
[2017-06-15T21:41:37,523][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate ope
ration failed
@immort4tor

This comment has been minimized.

Copy link
Author

immort4tor commented Jun 15, 2017

http.type: ssl_netty4
readonlyrest:
    enable: true
    response_if_req_forbidden: Forbidden request

    ssl:
      enable: true
      keystore_file: "/etc/elasticsearch/pki/keystore.jks"
      key_alias: ******
      keystore_pass: *******
      key_pass: *******

    access_control_rules:

    - name: LDAP Read-Write
      type: allow
      kibana_access: rw
      ldap_auth:
          name: "ldap1"
          groups: ["ACL-Kibana-RW"]
      indices: [".kibana", "winlogbeat-*", "exchange-*"]

   - name: LDAP Read-only
      type: allow
      kibana_access: ro
      ldap_auth:
          name: "ldap1"
          groups: ["ACL-Kibana-RO"]
      indices: [".kibana", "winlogbeat-*", "exchange-*"]
    
    - name: kibana-server
      type: allow
      auth_key_sha256: ****
      verbosity: error
      indices: [".kibana"]

    - name: logstash-server
      type: allow
      auth_key_sha256: ***
      actions: ["cluster:monitor/main","cluster:monitor/health","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["exchange-*"]
   
    - name: winlogbeat-elastic
      type: allow
      auth_key_sha256: ***
      actions: ["cluster:monitor/main","cluster:monitor/health","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["winlogbeat-*"]

    ldaps:

    - name: ldap1
      host: "dc.mydomain"
      port: 389
      ssl_enabled: false
      ssl_trust_all_certs: true
      bind_dn: "cn=elastic,ou=service,dc=dc"
      bind_password: "****"
      search_user_base_DN: "dc=dc"
      user_id_attribute: "SamAccountName"
      search_groups_base_DN: "dc=dc"
      unique_member_attribute: "member"
      connection_pool_size: 10                                  # optional, default 30
      connection_timeout_in_sec: 10                             # optional, default 1
      request_timeout_in_sec: 10                                # optional, default 1
      cache_ttl_in_sec: 60                                      # optional, default 0 - cache disabled
@sscarduzio

This comment has been minimized.

Copy link
Owner

sscarduzio commented Jun 16, 2017

in 1.16.6 I put the chatty logs in debug mode, and added printing more info about that weird LDAP exception

@immort4tor

This comment has been minimized.

Copy link
Author

immort4tor commented Jun 19, 2017

Hm, install 1.16.6 - nothing changes:

[2017-06-19T09:52:31,690][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed
[2017-06-19T09:52:31,699][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed
[2017-06-19T09:52:31,707][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed
[2017-06-19T09:52:31,716][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed
[2017-06-19T09:52:31,724][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed
[2017-06-19T09:52:31,748][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed
[2017-06-19T09:52:31,759][ERROR][org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed

And it arises at work winlogbeat. Why he is trying to go to LDAP? For him there is his own rule ...

@sscarduzio

This comment has been minimized.

Copy link
Owner

sscarduzio commented Jun 19, 2017

ACL are evaluated sequentially. Move the rules that involve remote connections to authentication servers to the bottom

@ld57 ld57 referenced this issue Jun 29, 2017

Open

Password issues #243

@barryib

This comment has been minimized.

Copy link

barryib commented Nov 15, 2017

@immort4tor @sscarduzio I don't know how this issue is going, but for the records, here is how I get nested groups working for me:

    ldap_ad:
      name: ldap_ad
      host: "... your ad server goes here ..."
      port: 636
      ssl_enabled: true
      bind_dn: "... bind DN here ..."
      search_user_base_DN: "..."
      user_id_attribute: "sAMAccountName"
      search_groups_base_DN: "..."
      unique_member_attribute: "member:1.2.840.113556.1.4.1941:"

To get groups recursively, I use LDAP_MATCHING_RULE_IN_CHAIN

unique_member_attribute: "member:1.2.840.113556.1.4.1941:"

https://stackoverflow.com/a/6202683
https://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx

@ld57

This comment has been minimized.

Copy link

ld57 commented Nov 15, 2017

roooh, buying your apporach !

will try it on my side too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment