搜索守卫 LDAP 身份验证 - 用户身份验证最终失败 - Elasticsearch
Search guard LDAP authentication - Authentication finally failed for user - Elasticsearch
我正在尝试使用规范名称 (cn) 设置 LDAP Elasticsearch 身份验证
我正在使用域管理员凭据搜索默认用户 OU(作为测试),我创建了用户 user1 并将他放入管理员组(与域管理员相同的组)并使用 cn 作为用户名
cn=user1
samaccountname=user1
sg_roles.yml:
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: cn=Administrator,cn=Users,dc=test,dc=com
password: Pass
userbase: 'cn=Administrators,cn=Builtin,dc=test,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: cn
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: cn=Administrator,cn=Users,dc=test,dc=com
password: Pass
rolebase: 'cn=Builtin,dc=test,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'cn=Administrators,cn=Builtin,dc=test,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
sg_roles.yml
sg_ad_admins:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW
sg_roles_mapping.yml
sg_ad_admins:
backendroles:
- "cn=Administrators,cn=Builtin,dc=test,dc=com"
使用
进行身份验证时
curl -Ss -k https://user1:Pass@ekl.test.com:9200/_cluster/health
得到
[WARN ][c.f.s.a.BackendRegistry ] [1XeQ7xr] Authentication finally failed for >user1 from 172.17.252.71:51680
[2019-04-02T00:39:20,601][WARN ][c.f.s.a.BackendRegistry ] [1XeQ7xr] >Authentication finally failed for user1 from 172.17.252.71:51682
[2019-04-02T00:48:24,049][WARN ][c.f.s.a.BackendRegistry ] [1XeQ7xr] >Authentication finally failed for user1 from 172.17.252.71:51684
[root@vm1 sgconfig]#
可从端口 389 上的 Elasticsearch 访问域控制器
管理员身份验证也失败,出现同样的错误。
编辑
重新创建场景
测试组中的user1需要向Easticsearch进行身份验证
在 service_account OU 中是为用户搜索 AD 的服务帐户。
用户 1:
CN=user1,OU=UA,DC=test,DC=com
在 UA OU 中是 user1(测试安全组的成员)
ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
userbase: "OU=UA,DC=test,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- "dc.test.com:389"
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
#rolebase: "OU=UA,DC=test,DC=com"
rolebase: "CN=test,OU=groups,DC=test,DC=com"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: "memberOf"
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: "true"
userbase: 'CN=test,OU=groups,DC=test,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
authorization_backend:
现在,我可以进行身份验证,但角色未映射
curl -Ss -k https://user1:Pass@ekl.test.com:9200/_cluster/health
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=user1, roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=user1, roles=[], requestedTenant=null]"},"status":403}
终于开始工作了,Search Guard 文档太糟糕了:
ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
userbase: "OU=UA,DC=test,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
roles_from_myldap:
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- "dc.test.com:389"
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
#rolebase: "OU=UA,DC=test,DC=com"
rolebase: "CN=test,OU=groups,DC=test,DC=com"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: "memberOf"
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: "true"
userbase: 'CN=test,OU=groups,DC=test,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
authorization_backend:
不得不改变 sg_roles_mapping.yml"
sg_ad_admin:
readonly: true
backendroles:
- test
我正在尝试使用规范名称 (cn) 设置 LDAP Elasticsearch 身份验证
我正在使用域管理员凭据搜索默认用户 OU(作为测试),我创建了用户 user1 并将他放入管理员组(与域管理员相同的组)并使用 cn 作为用户名
cn=user1
samaccountname=user1
sg_roles.yml:
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: cn=Administrator,cn=Users,dc=test,dc=com
password: Pass
userbase: 'cn=Administrators,cn=Builtin,dc=test,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: cn
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: cn=Administrator,cn=Users,dc=test,dc=com
password: Pass
rolebase: 'cn=Builtin,dc=test,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'cn=Administrators,cn=Builtin,dc=test,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
sg_roles.yml
sg_ad_admins:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW
sg_roles_mapping.yml
sg_ad_admins:
backendroles:
- "cn=Administrators,cn=Builtin,dc=test,dc=com"
使用
进行身份验证时curl -Ss -k https://user1:Pass@ekl.test.com:9200/_cluster/health
得到
[WARN ][c.f.s.a.BackendRegistry ] [1XeQ7xr] Authentication finally failed for >user1 from 172.17.252.71:51680 [2019-04-02T00:39:20,601][WARN ][c.f.s.a.BackendRegistry ] [1XeQ7xr] >Authentication finally failed for user1 from 172.17.252.71:51682 [2019-04-02T00:48:24,049][WARN ][c.f.s.a.BackendRegistry ] [1XeQ7xr] >Authentication finally failed for user1 from 172.17.252.71:51684 [root@vm1 sgconfig]#
可从端口 389 上的 Elasticsearch 访问域控制器
管理员身份验证也失败,出现同样的错误。
编辑
重新创建场景
测试组中的user1需要向Easticsearch进行身份验证 在 service_account OU 中是为用户搜索 AD 的服务帐户。
用户 1:
CN=user1,OU=UA,DC=test,DC=com
在 UA OU 中是 user1(测试安全组的成员)
ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
userbase: "OU=UA,DC=test,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- "dc.test.com:389"
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
#rolebase: "OU=UA,DC=test,DC=com"
rolebase: "CN=test,OU=groups,DC=test,DC=com"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: "memberOf"
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: "true"
userbase: 'CN=test,OU=groups,DC=test,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
authorization_backend:
现在,我可以进行身份验证,但角色未映射
curl -Ss -k https://user1:Pass@ekl.test.com:9200/_cluster/health
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=user1, roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=user1, roles=[], requestedTenant=null]"},"status":403}
终于开始工作了,Search Guard 文档太糟糕了:
ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.test.com:389
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
userbase: "OU=UA,DC=test,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
roles_from_myldap:
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- "dc.test.com:389"
bind_dn: "CN=service,OU=service_accounts,DC=test,DC=com"
password: "Pass"
#rolebase: "OU=UA,DC=test,DC=com"
rolebase: "CN=test,OU=groups,DC=test,DC=com"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: "memberOf"
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: "true"
userbase: 'CN=test,OU=groups,DC=test,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(cn={0})"
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
enabled: false
authorization_backend:
不得不改变 sg_roles_mapping.yml"
sg_ad_admin:
readonly: true
backendroles:
- test