[ldap] move bind user settings out of the user_search settings
The bind user can be used for other operations in the future, so it is being moved out of the user_search settings into the top level ldap realm settings. Closes elastic/elasticsearch#729 Original commit: elastic/x-pack-elasticsearch@babc5ece0b
This commit is contained in:
jaymode
parent
7336509acc
commit
021000e4d8
|
|
@ -67,7 +67,7 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
|
||||||
String entryDn = settings.get("user_search.pool.health_check.dn", (bindRequest == null) ? null : bindRequest.getBindDN());
|
String entryDn = settings.get("user_search.pool.health_check.dn", (bindRequest == null) ? null : bindRequest.getBindDN());
|
||||||
if (entryDn == null) {
|
if (entryDn == null) {
|
||||||
pool.close();
|
pool.close();
|
||||||
throw new ShieldSettingsException("[user_search.bind_dn] has not been specified so a value must be specified for [user_search.pool.health_check.dn] or [user_search.pool.health_check.enabled] must be set to false");
|
throw new ShieldSettingsException("[bind_dn] has not been specified so a value must be specified for [user_search.pool.health_check.dn] or [user_search.pool.health_check.enabled] must be set to false");
|
||||||
}
|
}
|
||||||
long healthCheckInterval = settings.getAsTime("user_search.pool.health_check.interval", DEFAULT_HEALTH_CHECK_INTERVAL).millis();
|
long healthCheckInterval = settings.getAsTime("user_search.pool.health_check.interval", DEFAULT_HEALTH_CHECK_INTERVAL).millis();
|
||||||
// Checks the status of the LDAP connection at a specified interval in the background. We do not check on
|
// Checks the status of the LDAP connection at a specified interval in the background. We do not check on
|
||||||
|
|
@ -85,9 +85,9 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
|
||||||
|
|
||||||
static SimpleBindRequest bindRequest(Settings settings) {
|
static SimpleBindRequest bindRequest(Settings settings) {
|
||||||
SimpleBindRequest request = null;
|
SimpleBindRequest request = null;
|
||||||
String bindDn = settings.get("user_search.bind_dn");
|
String bindDn = settings.get("bind_dn");
|
||||||
if (bindDn != null) {
|
if (bindDn != null) {
|
||||||
request = new SimpleBindRequest(bindDn, settings.get("user_search.bind_password"));
|
request = new SimpleBindRequest(bindDn, settings.get("bind_password"));
|
||||||
}
|
}
|
||||||
return request;
|
return request;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -180,8 +180,8 @@ public class LdapRealmTest extends LdapTest {
|
||||||
Settings settings = ImmutableSettings.builder()
|
Settings settings = ImmutableSettings.builder()
|
||||||
.putArray(URLS_SETTING, ldapUrl())
|
.putArray(URLS_SETTING, ldapUrl())
|
||||||
.put("user_search.base_dn", "")
|
.put("user_search.base_dn", "")
|
||||||
.put("user_search.bind_dn", "cn=Thomas Masterman Hardy,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Thomas Masterman Hardy,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", PASSWORD)
|
.put("bind_password", PASSWORD)
|
||||||
.put("group_search.base_dn", groupSearchBase)
|
.put("group_search.base_dn", groupSearchBase)
|
||||||
.put("group_search.scope", LdapSearchScope.SUB_TREE)
|
.put("group_search.scope", LdapSearchScope.SUB_TREE)
|
||||||
.put(HOSTNAME_VERIFICATION_SETTING, false)
|
.put(HOSTNAME_VERIFICATION_SETTING, false)
|
||||||
|
|
|
||||||
|
|
@ -57,8 +57,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.put("user_search.attribute", "cn")
|
.put("user_search.attribute", "cn")
|
||||||
.build());
|
.build());
|
||||||
|
|
||||||
|
|
@ -83,8 +83,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.put("user_search.scope", LdapSearchScope.BASE)
|
.put("user_search.scope", LdapSearchScope.BASE)
|
||||||
.put("user_search.attribute", "cn")
|
.put("user_search.attribute", "cn")
|
||||||
.build());
|
.build());
|
||||||
|
|
@ -111,8 +111,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.put("user_search.scope", LdapSearchScope.BASE)
|
.put("user_search.scope", LdapSearchScope.BASE)
|
||||||
.put("user_search.attribute", "cn")
|
.put("user_search.attribute", "cn")
|
||||||
.build());
|
.build());
|
||||||
|
|
@ -138,8 +138,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.put("user_search.scope", LdapSearchScope.ONE_LEVEL)
|
.put("user_search.scope", LdapSearchScope.ONE_LEVEL)
|
||||||
.put("user_search.attribute", "cn")
|
.put("user_search.attribute", "cn")
|
||||||
.build());
|
.build());
|
||||||
|
|
@ -166,8 +166,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.put("user_search.scope", LdapSearchScope.ONE_LEVEL)
|
.put("user_search.scope", LdapSearchScope.ONE_LEVEL)
|
||||||
.put("user_search.attribute", "cn")
|
.put("user_search.attribute", "cn")
|
||||||
.build());
|
.build());
|
||||||
|
|
@ -193,8 +193,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.put("user_search.attribute", "uid1")
|
.put("user_search.attribute", "uid1")
|
||||||
.build());
|
.build());
|
||||||
|
|
||||||
|
|
@ -220,8 +220,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.build());
|
.build());
|
||||||
|
|
||||||
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
|
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
|
||||||
|
|
@ -244,8 +244,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
Settings settings = settingsBuilder()
|
Settings settings = settingsBuilder()
|
||||||
.put(LdapTest.buildLdapSettings(ActiveDirectorySessionFactoryTests.AD_LDAP_URL, Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(LdapTest.buildLdapSettings(ActiveDirectorySessionFactoryTests.AD_LDAP_URL, Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "ironman@ad.test.elasticsearch.com")
|
.put("bind_dn", "ironman@ad.test.elasticsearch.com")
|
||||||
.put("user_search.bind_password", ActiveDirectorySessionFactoryTests.PASSWORD)
|
.put("bind_password", ActiveDirectorySessionFactoryTests.PASSWORD)
|
||||||
.put("user_search.attribute", "cn")
|
.put("user_search.attribute", "cn")
|
||||||
.build();
|
.build();
|
||||||
RealmConfig config = new RealmConfig("ad-as-ldap-test", settings);
|
RealmConfig config = new RealmConfig("ad-as-ldap-test", settings);
|
||||||
|
|
@ -272,8 +272,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("oldap-test", settingsBuilder()
|
RealmConfig config = new RealmConfig("oldap-test", settingsBuilder()
|
||||||
.put(LdapTest.buildLdapSettings(OpenLdapTests.OPEN_LDAP_URL, Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.ONE_LEVEL))
|
.put(LdapTest.buildLdapSettings(OpenLdapTests.OPEN_LDAP_URL, Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.ONE_LEVEL))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "uid=blackwidow,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com")
|
.put("bind_dn", "uid=blackwidow,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com")
|
||||||
.put("user_search.bind_password", OpenLdapTests.PASSWORD)
|
.put("bind_password", OpenLdapTests.PASSWORD)
|
||||||
.build());
|
.build());
|
||||||
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, clientSSLService);
|
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, clientSSLService);
|
||||||
|
|
||||||
|
|
@ -297,8 +297,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.build());
|
.build());
|
||||||
|
|
||||||
LDAPConnectionPool connectionPool = LdapUserSearchSessionFactory.connectionPool(config.settings(), new SingleServerSet("localhost", ldapServer.getListenPort()), TimeValue.timeValueSeconds(5));
|
LDAPConnectionPool connectionPool = LdapUserSearchSessionFactory.connectionPool(config.settings(), new SingleServerSet("localhost", ldapServer.getListenPort()), TimeValue.timeValueSeconds(5));
|
||||||
|
|
@ -321,8 +321,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.put("user_search.pool.initial_size", 10)
|
.put("user_search.pool.initial_size", 10)
|
||||||
.put("user_search.pool.size", 12)
|
.put("user_search.pool.size", 12)
|
||||||
.put("user_search.pool.health_check.enabled", false)
|
.put("user_search.pool.health_check.enabled", false)
|
||||||
|
|
@ -346,27 +346,27 @@ public class LdapUserSearchSessionFactoryTests extends LdapTest {
|
||||||
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
RealmConfig config = new RealmConfig("ldap_realm", settingsBuilder()
|
||||||
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
.put(buildLdapSettings(ldapUrl(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||||
.put("user_search.base_dn", userSearchBase)
|
.put("user_search.base_dn", userSearchBase)
|
||||||
.put("user_search.bind_password", "pass")
|
.put("bind_password", "pass")
|
||||||
.build());
|
.build());
|
||||||
|
|
||||||
try {
|
try {
|
||||||
new LdapUserSearchSessionFactory(config, null);
|
new LdapUserSearchSessionFactory(config, null);
|
||||||
} catch (ShieldSettingsException e) {
|
} catch (ShieldSettingsException e) {
|
||||||
assertThat(e.getMessage(), containsString("[user_search.bind_dn] has not been specified so a value must be specified for [user_search.pool.health_check.dn] or [user_search.pool.health_check.enabled] must be set to false"));
|
assertThat(e.getMessage(), containsString("[bind_dn] has not been specified so a value must be specified for [user_search.pool.health_check.dn] or [user_search.pool.health_check.enabled] must be set to false"));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testEmptyBindDNReturnsNullBindRequest() {
|
public void testEmptyBindDNReturnsNullBindRequest() {
|
||||||
BindRequest request = LdapUserSearchSessionFactory.bindRequest(settingsBuilder().put("user_search.bind_password", "password").build());
|
BindRequest request = LdapUserSearchSessionFactory.bindRequest(settingsBuilder().put("bind_password", "password").build());
|
||||||
assertThat(request, is(nullValue()));
|
assertThat(request, is(nullValue()));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testThatBindRequestReturnsSimpleBindRequest() {
|
public void testThatBindRequestReturnsSimpleBindRequest() {
|
||||||
BindRequest request = LdapUserSearchSessionFactory.bindRequest(settingsBuilder()
|
BindRequest request = LdapUserSearchSessionFactory.bindRequest(settingsBuilder()
|
||||||
.put("user_search.bind_password", "password")
|
.put("bind_password", "password")
|
||||||
.put("user_search.bind_dn", "cn=ironman")
|
.put("bind_dn", "cn=ironman")
|
||||||
.build());
|
.build());
|
||||||
assertEquals(request.getClass(), SimpleBindRequest.class);
|
assertEquals(request.getClass(), SimpleBindRequest.class);
|
||||||
SimpleBindRequest simpleBindRequest = (SimpleBindRequest) request;
|
SimpleBindRequest simpleBindRequest = (SimpleBindRequest) request;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue