LDAP(AD) Authorization against groups not working

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: search-guard-5

  • Installed and used enterprise modules, if any :

  • JVM version and operating system version: 1.8.0_141 on CentOS 7.4

  • Search Guard configuration files:

  • Elasticsearch log messages on debug level:

  • Other installed Elasticsearch or Kibana plugins, if any

We are doing a POC evaluation SearchGuard for authentication/Authorization against AD. We are currently stuck with this issue with SG not being able to do group based authorization.

Scenario

We have ES and Kibana running 5.4.1 with SearchGuard installed and running fine. We have a couple of indices like atest and etest and we are trying to authorize 2 users to each of these index via an AD group and have been unsuccessful at it.

We have an user created atest and a group agroup, similarly etest and egroup, We are using agroup to assign atest index to the atest user. But when we do that we are seeing the following error in ES logs. We tried to setup debug but we did not get the correct documentation on how to setup the debug so we do not have the debug logs. Our config files look as following.

sg_config.yml

searchguard:

dynamic:

authc:

ldap:

enabled: true

order: 1

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

- ragsr01-vm89188.myad.com:389

bind_dn: CN=Administrator,CN=Users,DC=myad,DC=com

# bind_dn: CN=elk admin,OU=Users,OU=myOU,DC=myad,DC=com

password: ‘xxxxx’

userbase: OU=Users,OU=myou,DC=myad,DC=com

usersearch: ‘(sAMAccountName={0})’

username_attribute: null

authz:

ldap:

enabled: true

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

- ragsr01-vm89188.myad.com:389

bind_dn: null

password: null

rolebase: “DC=myad,DC=com”

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true

rolesearch_enabled: true

sg_roles.yml I have the following group created

#Role for myorg

agrouprole:

cluster:

- all

indices:

‘atest-*’:

‘*’:

- ‘*’

egrouprole:

cluster:

- all

indices:

‘etest-*’:

‘*’:

- ‘*’

misc:

cluster:

- indices:admin/template/get

- indices:admin/template/put

indices:

‘misclogs*’:

‘*’:

- CRUD

- CREATE_INDEX

sg_roles_mapping.yml has the following.

agrouprole:

backendroles:

- agroup

eventeslog:

users:

- ‘CN=eventlog,OU=Users,OU=myou,DC=cmapps,DC=com’

When I login with auser who is part of the agroup, the following line is printed in the log, infact the same line is printed for the bindDN user when I run the sg_admin.

[2017-12-15T13:39:31,283][ERROR][c.f.s.a.BackendRegistry ] Problems retrieving roles for User [name=CN=auser,OU=Users,OU=myou,DC=myad,DC=com, roles=] from class com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend

I think the above error is not fetching the backend roles due to which the SG is not able to assign the correct rights. Any pointer on how to fix this issue.

Thanks,

Sreekanth

To pinpoint the problem you need to set the log level to debug first, otherwise, we can’t help you. How to set the log level to debug for 5.x:

http://docs.search-guard.com/v5/troubleshooting-tls

Please set the log level, restart the node, try to log in with your “auser” and then post the debug logs here.

···

On Friday, December 15, 2017 at 3:18:57 PM UTC+1, ragisreekanth@gmail.com wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: search-guard-5
  • Installed and used enterprise modules, if any :
  • JVM version and operating system version: 1.8.0_141 on CentOS 7.4
  • Search Guard configuration files:
  • Elasticsearch log messages on debug level:
  • Other installed Elasticsearch or Kibana plugins, if any

We are doing a POC evaluation SearchGuard for authentication/Authorization against AD. We are currently stuck with this issue with SG not being able to do group based authorization.

Scenario

We have ES and Kibana running 5.4.1 with SearchGuard installed and running fine. We have a couple of indices like atest and etest and we are trying to authorize 2 users to each of these index via an AD group and have been unsuccessful at it.

We have an user created atest and a group agroup, similarly etest and egroup, We are using agroup to assign atest index to the atest user. But when we do that we are seeing the following error in ES logs. We tried to setup debug but we did not get the correct documentation on how to setup the debug so we do not have the debug logs. Our config files look as following.

sg_config.yml

searchguard:

dynamic:

authc:

ldap:

enabled: true

order: 1

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

- ragsr01-vm89188.myad.com:389

bind_dn: CN=Administrator,CN=Users,DC=myad,DC=com

# bind_dn: CN=elk admin,OU=Users,OU=myOU,DC=myad,DC=com

password: ‘xxxxx’

userbase: OU=Users,OU=myou,DC=myad,DC=com

usersearch: ‘(sAMAccountName={0})’

username_attribute: null

authz:

ldap:

enabled: true

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

- ragsr01-vm89188.myad.com:389

bind_dn: null

password: null

rolebase: “DC=myad,DC=com”

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true

rolesearch_enabled: true

sg_roles.yml I have the following group created

#Role for myorg

agrouprole:

cluster:

- all

indices:

‘atest-*’:

‘*’:

- ‘*’

egrouprole:

cluster:

- all

indices:

‘etest-*’:

‘*’:

- ‘*’

misc:

cluster:

- indices:admin/template/get

- indices:admin/template/put

indices:

‘misclogs*’:

‘*’:

- CRUD

- CREATE_INDEX

sg_roles_mapping.yml has the following.

agrouprole:

backendroles:

- agroup

eventeslog:

users:

- ‘CN=eventlog,OU=Users,OU=myou,DC=cmapps,DC=com’

When I login with auser who is part of the agroup, the following line is printed in the log, infact the same line is printed for the bindDN user when I run the sg_admin.

[2017-12-15T13:39:31,283][ERROR][c.f.s.a.BackendRegistry ] Problems retrieving roles for User [name=CN=auser,OU=Users,OU=myou,DC=myad,DC=com, roles=] from class com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend

I think the above error is not fetching the backend roles due to which the SG is not able to assign the correct rights. Any pointer on how to fix this issue.

Thanks,

Sreekanth

Hi Jochen

I was able to get the correct process for setting the logs to debug, once I did that was able to figure out the probem. It was being caused as for authorization queries we were not sending any bind_dn. Once that was provided, it started working. Thanks for your support.

Thanks,

Sreekanth

···

On Friday, December 15, 2017 at 7:48:57 PM UTC+5:30, ragisr...@gmail.com wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: search-guard-5
  • Installed and used enterprise modules, if any :
  • JVM version and operating system version: 1.8.0_141 on CentOS 7.4
  • Search Guard configuration files:
  • Elasticsearch log messages on debug level:
  • Other installed Elasticsearch or Kibana plugins, if any

We are doing a POC evaluation SearchGuard for authentication/Authorization against AD. We are currently stuck with this issue with SG not being able to do group based authorization.

Scenario

We have ES and Kibana running 5.4.1 with SearchGuard installed and running fine. We have a couple of indices like atest and etest and we are trying to authorize 2 users to each of these index via an AD group and have been unsuccessful at it.

We have an user created atest and a group agroup, similarly etest and egroup, We are using agroup to assign atest index to the atest user. But when we do that we are seeing the following error in ES logs. We tried to setup debug but we did not get the correct documentation on how to setup the debug so we do not have the debug logs. Our config files look as following.

sg_config.yml

searchguard:

dynamic:

authc:

ldap:

enabled: true

order: 1

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

- ragsr01-vm89188.myad.com:389

bind_dn: CN=Administrator,CN=Users,DC=myad,DC=com

# bind_dn: CN=elk admin,OU=Users,OU=myOU,DC=myad,DC=com

password: ‘xxxxx’

userbase: OU=Users,OU=myou,DC=myad,DC=com

usersearch: ‘(sAMAccountName={0})’

username_attribute: null

authz:

ldap:

enabled: true

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

- ragsr01-vm89188.myad.com:389

bind_dn: null

password: null

rolebase: “DC=myad,DC=com”

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true

rolesearch_enabled: true

sg_roles.yml I have the following group created

#Role for myorg

agrouprole:

cluster:

- all

indices:

‘atest-*’:

‘*’:

- ‘*’

egrouprole:

cluster:

- all

indices:

‘etest-*’:

‘*’:

- ‘*’

misc:

cluster:

- indices:admin/template/get

- indices:admin/template/put

indices:

‘misclogs*’:

‘*’:

- CRUD

- CREATE_INDEX

sg_roles_mapping.yml has the following.

agrouprole:

backendroles:

- agroup

eventeslog:

users:

- ‘CN=eventlog,OU=Users,OU=myou,DC=cmapps,DC=com’

When I login with auser who is part of the agroup, the following line is printed in the log, infact the same line is printed for the bindDN user when I run the sg_admin.

[2017-12-15T13:39:31,283][ERROR][c.f.s.a.BackendRegistry ] Problems retrieving roles for User [name=CN=auser,OU=Users,OU=myou,DC=myad,DC=com, roles=] from class com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend

I think the above error is not fetching the backend roles due to which the SG is not able to assign the correct rights. Any pointer on how to fix this issue.

Thanks,

Sreekanth