When asking questions, please provide the following information:
-
Search Guard and Elasticsearch version: search-guard-5
-
Installed and used enterprise modules, if any :
-
JVM version and operating system version: 1.8.0_141 on CentOS 7.4
-
Search Guard configuration files:
-
Elasticsearch log messages on debug level:
-
Other installed Elasticsearch or Kibana plugins, if any
We are doing a POC evaluation SearchGuard for authentication/Authorization against AD. We are currently stuck with this issue with SG not being able to do group based authorization.
Scenario
We have ES and Kibana running 5.4.1 with SearchGuard installed and running fine. We have a couple of indices like atest and etest and we are trying to authorize 2 users to each of these index via an AD group and have been unsuccessful at it.
We have an user created atest and a group agroup, similarly etest and egroup, We are using agroup to assign atest index to the atest user. But when we do that we are seeing the following error in ES logs. We tried to setup debug but we did not get the correct documentation on how to setup the debug so we do not have the debug logs. Our config files look as following.
sg_config.yml
searchguard:
dynamic:
authc:
ldap:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- ragsr01-vm89188.myad.com:389
bind_dn: CN=Administrator,CN=Users,DC=myad,DC=com
# bind_dn: CN=elk admin,OU=Users,OU=myOU,DC=myad,DC=com
password: ‘xxxxx’
userbase: OU=Users,OU=myou,DC=myad,DC=com
usersearch: ‘(sAMAccountName={0})’
username_attribute: null
authz:
ldap:
enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- ragsr01-vm89188.myad.com:389
bind_dn: null
password: null
rolebase: “DC=myad,DC=com”
rolesearch: ‘(member={0})’
userroleattribute: null
userrolename: disabled
rolename: cn
resolve_nested_roles: true
rolesearch_enabled: true
sg_roles.yml I have the following group created
#Role for myorg
agrouprole:
cluster:
- all
indices:
‘atest-*’:
‘*’:
- ‘*’
egrouprole:
cluster:
- all
indices:
‘etest-*’:
‘*’:
- ‘*’
misc:
cluster:
- indices:admin/template/get
- indices:admin/template/put
indices:
‘misclogs*’:
‘*’:
- CRUD
- CREATE_INDEX
sg_roles_mapping.yml has the following.
agrouprole:
backendroles:
- agroup
eventeslog:
users:
- ‘CN=eventlog,OU=Users,OU=myou,DC=cmapps,DC=com’
When I login with auser who is part of the agroup, the following line is printed in the log, infact the same line is printed for the bindDN user when I run the sg_admin.
[2017-12-15T13:39:31,283][ERROR][c.f.s.a.BackendRegistry ] Problems retrieving roles for User [name=CN=auser,OU=Users,OU=myou,DC=myad,DC=com, roles=] from class com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend
I think the above error is not fetching the backend roles due to which the SG is not able to assign the correct rights. Any pointer on how to fix this issue.
Thanks,
Sreekanth