LDAP Roles not mapping correctly

Search Guard
1

Hey Guys,

I have been beating my head trying to figure this out… My user roles don’t seem to be mapped to seach guard roles. Using Microsft active directory for authentication.

ES Version: 2.4.0

Elasticsearch log:

__[2016-09-24 21:46:13,782][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic
[2016-09-24 21:46:13,785][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘test2’ is in cache? false (cache size: 0)
[2016-09-24 21:46:13,786][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] test2 not cached, return from ldap backend directly
[2016-09-24 21:46:13,801][DEBUG][com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend] bindDn CN=Test Account,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com, password ****
[2016-09-24 21:46:13,846][DEBUG][com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend] Authenticated username CN=test 2,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com
[2016-09-24 21:46:13,851][DEBUG][com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend] bindDn CN=Test Account,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com, password ****
[2016-09-24 21:46:13,887][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=CN=test 2,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com, roles=[Elasticsearch_Admin]]’ is authenticated
[2016-09-24 21:46:13,889][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=CN=test 2,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com, roles=[Elasticsearch_Admin]]
[2016-09-24 21:46:13,889][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested cluster:monitor/health from 70.50.56.161:61884
[2016-09-24 21:46:13,889][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve from class org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest
[2016-09-24 21:46:13,890][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=7, ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=
true, forbid_closed_indices=false]
[2016-09-24 21:46:13,890][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices
[2016-09-24 21:46:13,890][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] No indices found in request, assume _all
[2016-09-24 21:46:13,890][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [searchguard]
[2016-09-24 21:46:13,890][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [all]
[2016-09-24 21:46:13,892][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: []
[2016-09-24 21:46:13,892][INFO ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] No perm match for cluster:monitor/health and []
[2016-09-24 21:46:13,893][DEBUG][com.floragunn.searchguard.filter.SearchGuardFilter] no permissions for cluster:monitor/health
[2016-09-24 21:46:13,894][DEBUG][rest.suppressed ] path: /cluster/health, params: {pretty=true}
ElasticsearchSecurityException[no permissions for cluster:monitor/health]
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:164)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:88)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:853)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:873)
at org.elasticsearch.rest.action.admin.cluster.health.RestClusterHealthAction.handleRequest(RestClusterHealthAction.java:62)
at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
at org.elasticsearch.rest.RestController.executeHandler(RestController.java:198)
at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:280)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:261)
at com.floragunn.searchguard.filter.SearchGuardRestFilter.process(SearchGuardRestFilter.java:65)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:264)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:161)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:153)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:101)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:451)
at com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport.dispatchRequest(SearchGuardSSLNettyHttpServerTransport.java:159)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

My Sg Configs are the following

sg_role.yml:

searchguard:
dynamic:
http:
anonymous_auth_enabled: false
authc:
ldap:
enabled: true
order: 5
http_authenticator:
type: “basic”
challenge: true
authentication_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- “172.31.55.166:389”
- “172.31.43.140:389”
bind_dn: “CN=Test Account,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
password: “XXXXX”
userbase: “CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “172.31.55.166:389”
- “172.31.43.140:389”
bind_dn: “CN=Test Account,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
password: “XXXXX”
rolebase: “CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
rolesearch: “(uniqueMember={0})”
userroleattribute: null
userrolename: “memberOf”
rolename: “CN”
resolve_nested_roles: true
userbase: “CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
usersearch: “(uid={0})”

** I added some additional roles for testing purposes… not sure the correct format etc… was trying to follow documentation

sg_role:

__sg_all_access:
cluster:

  • ""
    indices:
    '    ':
    ‘*’:
    • “*”
    • “ALL”
      sg_readall:
      cluster:
  • “CLUSTER_ALL”
    indices:
    ':
    '    ’:
    • “READ”
      sg_kibana4:
      cluster:
  • “CLUSTER_ALL”
    indices:
    ':
    '    ’:
    • “READ”
    • “indices:admin/mappings/fields/get*”
    • “indices:admin/validate/query*”
    • “indices:admin/get*”
      ?kibana:
      ‘*’:
    • “ALL”
      Elasticsearch_Admin:
      cluster:
  • ""
    indices:
    '    ':
    ‘*’:
    • “*”
    • “ALL”
      sg_Elasticsearch_Admin:
      cluster:
  • ""
    indices:
    '    ':
    ‘*’:
    • “*”
    • “ALL”
      sg_role_Elasticsearch_Admin:
      cluster:
  • ""
    indices:
    '    ':
    ‘*’:
    • “*”
    • “ALL” __

*** more trial/test configs… not sure the correct method

sg_role_mapping

**sg_kibana4:
backendroles:

  • “CN=Elasticsearch_Kibana,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    roles_from_myldap:
  • “CN=Elasticsearch_Kibana,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    sg_all_access:
    backendroles:
  • “CN=Elasticsearch_Admin,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    roles_from_myldap:
  • “CN=Elasticsearch_Admin,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    sg_readall:
    backendroles:
  • “CN=Elasticsearch_ReadOnly,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    roles_from_myldap:
  • “CN=Elasticsearch_ReadOnly,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    Elasticsearch_Admin:
    backendroles:
  • “CN=Elasticsearch_Admin,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    roles_from_myldap:
  • “CN=Elasticsearch_Admin,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    sg_Elasticsearch_Admin:
    backendroles:
  • “CN=Elasticsearch_Admin,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    roles_from_myldap:
  • “CN=Elasticsearch_Admin,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    sg_role_Elasticsearch_Admin:
    backendroles:
  • “CN=Elasticsearch_Admin,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”
    roles_from_myldap:
  • “CN=Elasticsearch_Admin,CN=Users,DC=ute-dev,DC=rci,DC=test,DC=com”**

I am completely dumbfounded on why this is not working. In the logs you can see that it detects the role but not sure why it doesn’t map. Any help would be greatly appreciated.

Thanks

2

Looks like i manged to figure it out. The documentation is not clear at all but i chaned my sg_role_mapping.yml to the following

sg_kibana4:
backendroles:
- Elasticsearch_Kibana
sg_all_access:
backendroles:
- Elasticsearch_Admin
sg_readall:
backendroles:
- Elasticsearch_ReadOnly

“Elastsearch_Admin” etc are the actual security group names that are being pulled from my LDAP. I think we should make this more clear for the LDAP Documentation… it was very confusing and a lot of trail and error to figure it out.

3

Hi - thanks for your input, and glad it worked out for you. Can you please elaborate a bit on which parts of the documentation are confusing, so we can rework and improve it?

Thanks!

···

On Sunday, 25 September 2016 00:43:47 UTC+2, zohaib butt wrote:

Looks like i manged to figure it out. The documentation is not clear at all but i chaned my sg_role_mapping.yml to the following

sg_kibana4:
backendroles:
- Elasticsearch_Kibana
sg_all_access:
backendroles:
- Elasticsearch_Admin
sg_readall:
backendroles:
- Elasticsearch_ReadOnly

“Elastsearch_Admin” etc are the actual security group names that are being pulled from my LDAP. I think we should make this more clear for the LDAP Documentation… it was very confusing and a lot of trail and error to figure it out.