【发布时间】:2019-04-01 22:49:16
【问题描述】:
我正在尝试使用规范名称 (cn) 设置 LDAP Elasticsearch 身份验证
我正在使用域管理员凭据搜索默认用户 OU(作为测试),我创建了用户 user1 并将他放入管理员组(与域管理员相同的组)并使用 cn 作为用户名
cn=user1
samaccountname=user1
sg_roles.yml:
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: cn=Administrator,cn=Users,dc=test,dc=com
password: Pass
userbase: 'cn=Administrators,cn=Builtin,dc=test,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: cn
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: cn=Administrator,cn=Users,dc=test,dc=com
password: Pass
rolebase: 'cn=Builtin,dc=test,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'cn=Administrators,cn=Builtin,dc=test,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
sg_roles.yml
sg_ad_admins:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW
sg_roles_mapping.yml
sg_ad_admins:
backendroles:
- "cn=Administrators,cn=Builtin,dc=test,dc=com"
当使用身份验证时
curl -Ss -k https://user1:Pass@ekl.test.com:9200/_cluster/health
得到
[WARN][c.f.s.a.BackendRegistry] [1XeQ7xr] 来自 172.17.252.71:51680 的 >user1 的身份验证最终失败 [2019-04-02T00:39:20,601][WARN][c.f.s.a.BackendRegistry] [1XeQ7xr] >来自 172.17.252.71:51682 的 user1 的身份验证最终失败 [2019-04-02T00:48:24,049][WARN][c.f.s.a.BackendRegistry] [1XeQ7xr] >来自 172.17.252.71:51684 的 user1 的身份验证最终失败 [root@vm1 sgconfig]#
可从 Elasticsearch 的 389 端口访问域控制器
管理员的身份验证也失败并出现同样的错误。
编辑
重现场景
在测试组中是需要向 Easticsearch 进行身份验证的 user1 service_account 中的 OU 是在 AD 中搜索用户的服务帐号。
用户1:
CN=user1,OU=UA,DC=test,DC=com
在 UA OU 中是 user1(测试安全组的成员)
ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
userbase: "OU=UA,DC=test,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- "dc.test.com:389"
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
#rolebase: "OU=UA,DC=test,DC=com"
rolebase: "CN=test,OU=groups,DC=test,DC=com"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: "memberOf"
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: "true"
userbase: 'CN=test,OU=groups,DC=test,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
authorization_backend:
现在,我可以进行身份验证,但没有映射角色
curl -Ss -k https://user1:Pass@ekl.test.com:9200/_cluster/health
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=user1, roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=user1, roles=[], requestedTenant=null]"},"status":403}
【问题讨论】:
-
您创建的
user1的DN 是什么?userbase可能不正确。您还可以按照以下说明提高 SearchGuard 的日志级别 docs.search-guard.com/latest/troubleshooting-setting-log-level -
刚刚更新的问题
-
现在没有为您的用户找到角色。
rolebase看起来不正确,请尝试使用OU=groups,DC=test,DC=com -
已经做了,同样的问题
-
如果您更新问题以显示配置的最新版本,以及 Active Directory 中测试组的属性,这将很有帮助。您也可以尝试注释掉
userrolename,因为文档表明该字段是您希望从中获取组的用户字段(在您的配置中并非如此)
标签: elasticsearch ldap