Я пытаюсь установить аутентификацию LDAP Elasticsearch, используя каноническое имя (cn)
Я ищу OU пользователя по умолчанию с учетными данными администратора домена (в качестве теста), я создал пользователя user1 и поместил его в группу «Администраторы» (та же группа, что и у администратора домена) и использовал cn в качестве имени пользователя
сп = user1
SamAccountName = user1
sg_roles.yml:
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: cn=Administrator,cn=Users,dc=test,dc=com
password: Pass
userbase: 'cn=Administrators,cn=Builtin,dc=test,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: cn
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: cn=Administrator,cn=Users,dc=test,dc=com
password: Pass
rolebase: 'cn=Builtin,dc=test,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'cn=Administrators,cn=Builtin,dc=test,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
sg_roles.yml
sg_ad_admins:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW
sg_roles_mapping.yml
sg_ad_admins:
backendroles:
- "cn=Administrators,cn=Builtin,dc=test,dc=com"
при аутентификации с
curl -Ss -k https://user1:Pass@ekl.test.com:9200/_cluster/health
Получение
[WARN] [c.f.s.a.BackendRegistry] [1XeQ7xr] Аутентификация окончательно не удалась для> user1 из 172.17.252.71:51680
[2019-04-02T00: 39: 20,601] [WARN] [c.f.s.a.BackendRegistry] [1XeQ7xr]> Аутентификация окончательно не удалась для user1 с 172.17.252.71:51682
[2019-04-02T00: 48: 24,049] [WARN] [c.f.s.a.BackendRegistry] [1XeQ7xr]> В конце концов аутентификация для user1 завершилась неудачей с 172.17.252.71:51684
[root @ vm1 sgconfig] #
Контроллер домена доступен из Elasticsearch через порт 389
Аутентификация также не выполняется для администратора с той же ошибкой.
EDIT
воссозданный сценарий
В тестовой группе есть user1, который должен пройти аутентификацию в Easticsearch
в service_account OU - учетная запись службы, которая ищет пользователей в AD.
User1:
CN=user1,OU=UA,DC=test,DC=com
В UA OU - user1 (участник тестовой группы безопасности)
ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
userbase: "OU=UA,DC=test,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- "dc.test.com:389"
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
#rolebase: "OU=UA,DC=test,DC=com"
rolebase: "CN=test,OU=groups,DC=test,DC=com"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: "memberOf"
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: "true"
userbase: 'CN=test,OU=groups,DC=test,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
authorization_backend:
Теперь я могу аутентифицироваться, но роль не отображается
curl -Ss -k https://user1:Pass@ekl.test.com:9200/_cluster/health
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=user1, roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=user1, roles=[], requestedTenant=null]"},"status":403}