I installed Openldap and created one user by following this documentation https://help.ubuntu.com/lts/serverguide/openldap-server.html.
OpenLDAP is working fine.
I also configured LDAP authentication on Open Distro for Elasticsearch (debian package) by referring to this documentation https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/ldap/
I want login to kibana from my custom ldap user. So, I followed this documentation https://aws.amazon.com/blogs/opensource/ldap-integration-for-open-distro-for-elasticsearch/. But, still I am unable to login with my custom ldap user into my kibana.
This is my .ldif file :
dn: ou=People,dc=server,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=server,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=server,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=server,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
This is my config.yml file for ldap:
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- server.com:389
- localhost:389
bind_dn: 'uid=John,ou=People,dc=server,dc=com'
password: "johnldap"
userbase: 'ou=people,dc=server,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: 'uid'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- server.com:389
- localhost:389
bind_dn: 'uid=John,ou=People,dc=server,dc=com'
password: "johnldap"
rolebase: 'ou=People,dc=server,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=People,dc=server,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
What am I missing ?
Related
I've configured opendistro_security for OpenID. When I attempt to authenticate a user, it fails. Presumably because that user has no permissions. How do I give permissions an openid user? I can't seem to find an obvious way to do so with the internal_user.yml.
I Solved it. For posterity, here's what needed to do in addition to the openis settings in the Kibana.yml File.
1: In the config.yml file on each of my Elasticsearch nodes I needed to add the following:
authc:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: email
roles_key: roles
openid_connect_url: https://accounts.google.com/.well-known/openid-configuration
authentication_backend:
type: noop
Since I'm using google as my identity provider I needed to make sure my subject_key was "email"
2: Needed to run security config script on each node:
docker exec -it elasticsearch-node1 /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cacert /usr/share/elasticsearch/config/root-ca.pem -cert /usr/share/elasticsearch/config/kirk.pem -key /usr/share/elasticsearch/config/kirk-key.pem -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -icl && docker exec -it elasticsearch-node2 /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cacert /usr/share/elasticsearch/config/root-ca.pem -cert /usr/share/elasticsearch/config/kirk.pem -key /usr/share/elasticsearch/config/kirk-key.pem -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -icl
3: I needed to configure the usersthat I want to have access admin access to a role:
all_access:
reserved: false
backend_roles:
- "admin"
users:
- "name#email.com"
description: "Maps an openid user to all_access"
Now I can assign other users from Kibana
I am trying to add the below entry using the command below:
ldapadd -Y EXTERNAL -H ldapi:/// -f server5_ldap.ldif
The contents of server5_ldap.ldif is provided below:
# Entry 31: cn=default,ou=pwpolicies,dc=example,dc=com
dn: cn=default,ou=pwpolicies,dc=example,dc=com
cn: default
objectclass: device
objectclass: top
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 2
pwdexpirewarning: 604800
pwdfailurecountinterval: 3600
pwdgraceauthnlimit: 0
pwdinhistory: 5
pwdlockout: TRUE
pwdlockoutduration: 900
pwdmaxage: 0
pwdmaxfailure: 5
pwdminage: 0
pwdminlength: 8
pwdmustchange: FALSE
pwdsafemodify: FALSE
I am getting the error:
ldap_add: Insufficient access (50)
additional info: no write access to parent
My permissions.ldif is as given below:
#OlcAccess
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {1} to attrs=uid by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {2} to attrs=objectClass by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {3} to attrs=cn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {4} to attrs=sn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {5} to * by self write by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by users read by anonymous none
olcAccess: {6} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=pwpolicies,ou=PPS,dc=example,dc=com" write by * none
I am new to ldap, and I am blocked with this issue Any help will be highly appreciated.
If you want to use Unix domain socket authentication (-Y EXTERNAL), then you have to give root the manage permission to the database. The dn for root authenticating via Unix domain sockets is:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
On Redhat and CentOS only the configuration and the monitor back-ends have root permission.
# ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -o ldif-wrap=no -b cn=config '(objectClass=olcDatabaseConfig)' olcAccess
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none
dn: olcDatabase={2}hdb,cn=config
If you want to manage database 2 in the same way you manage the configuration, you have to add the same olcAccess rule to database 2 as it is defined for database 0, the configuration back-end.
to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
I have to configure two OpenLDAP nodes in multi-master mode.
I've also integrated them with our corporate Active Directory, and the integration seems to work, after some verification.
Even if the log say the replication is working fine, I verified that an entity added to one node didn't replicate on the other.
This is my slapd.conf is shown below. The only difference between the two slapd.conf is serverID
### Schema includes ###########################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/microsoft.minimal.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm
moduleload syncprov
moduleload accesslog
### Logging ###################################################################
logfile /var/log/slapd/slapd.log
loglevel sync
# Main settings ###############################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Allow v2 binding for legacy clients #########################################
allow bind_v2
### Database local ############################################################
database bdb
suffix "dc=farm,dc=it"
rootdn "cn=manager,dc=farm,dc=it"
rootpw {SSHA}B29rxKxtjTN8JJIppPGJt7ahvUPhd1pa
directory /var/lib/ldap
# Indexes for this back end
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid eq,pres,sub
access to attrs=userPassword
by self =xw
by dn.exact="cn=manager,dc=farm,dc=it"
by dn.exact="cn=replica,dc=farm,dc=it"
by anonymous auth
by * none
access to *
by anonymous auth
by self write
by dn.exact="cn=replica,dc=farm,dc=it" read
by users read
by * none
# Replica #####################################################################
#Define the server ID.
serverID 2
# Replication configuration, only things you may have to change here are provider, binddn, credentials and searchbase.
syncrepl rid=001
provider=ldap://almldap01.farm.it:389
binddn="cn=replica,dc=farm,dc=it"
bindmethod=simple
credentials="3L3jkKZcSb5anj8ReCi3ZDWnbv9HNeB8"
searchbase="dc=farm,dc=it"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
#Rest replication configuration goes to end of the file.
mirrormode TRUE
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 1000 60
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user yes
uri "ldap://corp.farm.group:389"
suffix "dc=corp,dc=farm,dc=group"
idassert-bind bindmethod=simple
mode=none
binddn="CN=WfLdapBind,OU=Users,OU=WebFarm,DC=corp,DC=farm,DC=group"
credentials="djW5l5hvTPcMcLvV"
idassert-authzFrom "*"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map objectClass posixAccount person
The syncrepl rid and provider should also be different in each case. rid should be unique, and provider should point to the other OpenLDAP master.
I am on OpenLdap and trying to modify an entry via an LDIF with slapadd command.
#LDIF
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: MyPassWord
But I am getting below error....
54a0fc8e <= str2entry: str2ad(changetype): attribute type undefined
Why changetype is not taken by slapadd command?
Also when I manually try to change the password on ldap browser I get following on the
logs
#!RESULT ERROR
#!CONNECTION ldap://<MY_MACHINENAME>:389
#!DATE 2014-12-29T10:14:16.930
#!ERROR [LDAP: error code 8 - modifications require authentication]
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: S2l0ZXNGbHk=
LDAP: error code 8 - modifications require authentication? Which Authenication is required?
An ldif file like this (containing changetype entries) should be used with ldapadd, not slapadd.
I have set up two OpenLDAP servers on my network and am trying to enable authentication through LDAP. I am able to login to my servers if users are authenticated on the local LDAP server. However, after I add a reference object to the other server I can't see the object through phpldapadmin. Here's what I am adding with ldapadd.
dn: uid=server2,ou=People,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
cn: server2
ref: ldap://192.168.4.105/ou=People,dc=server2,dc=example,dc=com
It successfully adds but I am unable to see it through phpldapadmin. I can view it through ldapsearch this is what I get.
$ ldapsearch -h 192.168.4.106 -x -b "uid=server2,ou=People,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=server2,ou=People,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 10 Referral
matchedDN: uid=server2,ou=People,dc=example,dc=com
ref: ldap://192.168.4.106/ou=People,dc=server2,dc=example,dc=com??sub
The fact that I can't see the objects and that they don't give me access to the other server is driving me nuts. I have nss_ldap and pam_ldap installed as well as the phpldapadmin module. I am running Ubuntu 13.04 on both servers. This is my slapd.conf for my client.
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/share/slapd/etc/openldap/schema/core.schema
include /usr/share/slapd/etc/openldap/schema/cosine.schema
include /usr/share/slapd/etc/openldap/schema/nis.schema
include /usr/share/slapd/etc/openldap/schema/corba.schema
include /usr/share/slapd/etc/openldap/schema/misc.schema
include /usr/share/slapd/etc/openldap/schema/inetorgperson.schema
allow bind_v2
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral ldap://server2.example.com:389
pidfile /usr/share/slapd/var/run/slapd.pid
argsfile /usr/share/slapd/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
moduleload back_bdb.la
# moduleload back_hdb.la
moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
overlay chain
chain-max-depth 1 #allows 1 referral hop
chain-uri "ldap://192.168.4.106"
chain-rebind-as-user yes
chain-idassert-bind bindmethod="simple"
binddn="cn=admin,dc=example,dc=com"
credentials="{SSHA}****"
mode="self"
chain-tls start
chain-idassert-authzFrom "*"
chain-return-error TRUE
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=server2,dc=example,dc=com"
rootdn "cn=admin,dc=server2,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(9) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}*********
defaultaccess none
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
I would be really grateful if someone could point me in the direction of my problem. I'm not sure if this is related but I am unable to view my OpenLDAP server through Apache Directory Studio but I can see it through phpldapadmin.
ldap.conf
host 192.168.4.105
base dc=server2,dc=example,dc=com
uri ldap://192.168.4.105
ldap_version 3
rootbinddn cn=admin,dc=server2,dc=example,dc=com
rootpw {SSHA}blah
scope sub
timelimit 5
bind_timelimit 5
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_password exop
nss_base_passwd ou=People,dc=server2,dc=example,dc=com?sub
nss_base_shadow ou=People,dc=server2,dc=example,dc=com?sub
nss_base_group ou=Group,dc=server2,dc=example,dc=com?sub
nss_base_hosts ou=Hosts,dc=server2,dc=example,dc=com?sub
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,nslcd,openldap,proxy,root,sshd,statd,sync,sys,syslog,uucp,whoopsie,www-data