Add setting for the LDAP user search filter and deprecate user attribute (elastic/x-pack-elasticsearch#1959)

This commit adds a setting to allow changing the user search filter. Previously the filter was a
simple equality filter that mapped a given attribute to the value of the username. The default
behavior remains the same with this change but provides additional flexibility to users to who may
need more advanced LDAP searches. The user attribute setting has been deprecated due to the overlap
with the new filter setting.

relates elastic/x-pack-elasticsearch#1861

Original commit: elastic/x-pack-elasticsearch@e9d797e81c
This commit is contained in:
Jay Modi 2017-07-11 09:27:24 -06:00 committed by GitHub
parent 22b0560ccb
commit 03ed2bbbd0
6 changed files with 183 additions and 73 deletions

View File

@ -288,7 +288,11 @@ failover and load balancing modes of operation.
all objects contained under `base_dn`. `base` specifies
that the `base_dn` is the user object, and that it is the
only user considered. Defaults to `sub_tree`.
| `user_search.attribute` | no | Specifies the attribute to match with the username presented
| `user_search.filter` | no | Specifies the filter used to search the directory in attempt to match
an entry with the username provided by the user. Defaults to `(uid={0})`.
`{0}` is substituted with the username provided when searching.
| `user_search.attribute` | no | This setting is deprecated; use `user_search.filter` instead.
Specifies the attribute to match with the username presented
to. Defaults to `uid`.
| `user_search.pool.enabled` | no | Enables or disables connection pooling for user search. When
disabled a new connection is created for every search. The

View File

@ -187,7 +187,13 @@ The scope of the user search. Valid values are `sub_tree`, `one_level` or
`base` specifies that the `base_dn` is the user object, and that it is
the only user considered. Defaults to `sub_tree`.
`user_search.filter`::
Specifies the filter used to search the directory in attempt to match
an entry with the username provided by the user. Defaults to `(uid={0})`.
`{0}` is substituted with the username provided when searching.
`user_search.attribute`::
This setting is deprecated; use `user_search.filter` instead.
The attribute to match with the username presented to. Defaults to `uid`.
`user_search.pool.enabled`::

View File

@ -5,6 +5,7 @@
*/
package org.elasticsearch.xpack.security.authc.ldap;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.GetEntryLDAPConnectionPoolHealthCheck;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
@ -39,9 +40,8 @@ import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import static com.unboundid.ldap.sdk.Filter.createEqualityFilter;
import static com.unboundid.ldap.sdk.Filter.encodeValue;
import static org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.attributesToSearchFor;
import static org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.createFilter;
import static org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.searchForEntry;
class LdapUserSearchSessionFactory extends SessionFactory {
@ -52,10 +52,11 @@ class LdapUserSearchSessionFactory extends SessionFactory {
static final TimeValue DEFAULT_HEALTH_CHECK_INTERVAL = TimeValue.timeValueSeconds(60L);
static final String SEARCH_PREFIX = "user_search.";
static final Setting<String> SEARCH_ATTRIBUTE = new Setting<>("user_search.attribute", DEFAULT_USERNAME_ATTRIBUTE,
Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated);
private static final Setting<String> SEARCH_BASE_DN = Setting.simpleString("user_search.base_dn", Setting.Property.NodeScope);
private static final Setting<String> SEARCH_ATTRIBUTE = new Setting<>("user_search.attribute", DEFAULT_USERNAME_ATTRIBUTE,
Function.identity(), Setting.Property.NodeScope);
private static final Setting<String> SEARCH_FILTER = Setting.simpleString("user_search.filter", Setting.Property.NodeScope);
private static final Setting<LdapSearchScope> SEARCH_SCOPE = new Setting<>("user_search.scope", (String) null,
s -> LdapSearchScope.resolve(s, LdapSearchScope.SUB_TREE), Setting.Property.NodeScope);
@ -79,7 +80,7 @@ class LdapUserSearchSessionFactory extends SessionFactory {
private final String userSearchBaseDn;
private final LdapSearchScope scope;
private final String userAttribute;
private final String searchFilter;
private final GroupsResolver groupResolver;
private final boolean useConnectionPool;
@ -95,7 +96,7 @@ class LdapUserSearchSessionFactory extends SessionFactory {
throw new IllegalArgumentException("[" + RealmSettings.getFullSettingKey(config, SEARCH_BASE_DN) + "] must be specified");
}
scope = SEARCH_SCOPE.get(settings);
userAttribute = SEARCH_ATTRIBUTE.get(settings);
searchFilter = getSearchFilter(config);
groupResolver = groupResolver(settings);
metaDataResolver = new LdapMetaDataResolver(config.settings(), ignoreReferralErrors);
useConnectionPool = POOL_ENABLED.get(settings);
@ -104,8 +105,8 @@ class LdapUserSearchSessionFactory extends SessionFactory {
} else {
connectionPool = null;
}
logger.info("Realm [{}] is in user-search mode - base_dn=[{}], attribute=[{}]",
config.name(), userSearchBaseDn, userAttribute);
logger.info("Realm [{}] is in user-search mode - base_dn=[{}], search filter=[{}]",
config.name(), userSearchBaseDn, searchFilter);
}
static LDAPConnectionPool createConnectionPool(RealmConfig config, ServerSet serverSet, TimeValue timeout, Logger logger)
@ -302,8 +303,16 @@ class LdapUserSearchSessionFactory extends SessionFactory {
}
private void findUser(String user, LDAPInterface ldapInterface, ActionListener<SearchResultEntry> listener) {
final Filter filter;
try {
filter = createFilter(searchFilter, user);
} catch (LDAPException e) {
listener.onFailure(e);
return;
}
searchForEntry(ldapInterface, userSearchBaseDn, scope.scope(),
createEqualityFilter(userAttribute, encodeValue(user)), Math.toIntExact(timeout.seconds()), ignoreReferralErrors, listener,
filter, Math.toIntExact(timeout.seconds()), ignoreReferralErrors, listener,
attributesToSearchFor(groupResolver.attributes(), metaDataResolver.attributeNames()));
}
@ -323,6 +332,23 @@ class LdapUserSearchSessionFactory extends SessionFactory {
return new UserAttributeGroupsResolver(settings);
}
static String getSearchFilter(RealmConfig config) {
final Settings settings = config.settings();
final boolean hasAttribute = SEARCH_ATTRIBUTE.exists(settings);
final boolean hasFilter = SEARCH_FILTER.exists(settings);
if (hasAttribute && hasFilter) {
throw new IllegalArgumentException("search attribute setting [" +
RealmSettings.getFullSettingKey(config, SEARCH_ATTRIBUTE) + "] and filter setting [" +
RealmSettings.getFullSettingKey(config, SEARCH_FILTER) + "] cannot be combined!");
} else if (hasFilter) {
return SEARCH_FILTER.get(settings);
} else if (hasAttribute) {
return "(" + SEARCH_ATTRIBUTE.get(settings) + "={0})";
} else {
return "(uid={0})";
}
}
public static Set<Setting<?>> getSettings() {
Set<Setting<?>> settings = new HashSet<>();
settings.addAll(SessionFactory.getSettings());
@ -337,6 +363,7 @@ class LdapUserSearchSessionFactory extends SessionFactory {
settings.add(HEALTH_CHECK_INTERVAL);
settings.add(BIND_DN);
settings.add(BIND_PASSWORD);
settings.add(SEARCH_FILTER);
settings.addAll(SearchGroupsResolver.getSettings());
settings.addAll(UserAttributeGroupsResolver.getSettings());

View File

@ -320,7 +320,7 @@ public final class LdapUtils {
: attributes.toArray(new String[attributes.size()]);
}
static String[] encodeFilterValues(String... arguments) {
private static String[] encodeFilterValues(String... arguments) {
for (int i = 0; i < arguments.length; i++) {
arguments[i] = Filter.encodeValue(arguments[i]);
}

View File

@ -134,7 +134,7 @@ public class RealmSettingsTests extends ESTestCase {
if (userSearch) {
builder.put("user_search.base_dn", "o=people, dc=example, dc=com");
builder.put("user_search.scope", "sub_tree");
builder.put("user_search.attribute", randomAlphaOfLengthBetween(2, 5));
builder.put("user_search.filter", "(" + randomAlphaOfLengthBetween(2, 5) + "={0})");
builder.put("user_search.pool.enabled", randomBoolean());
builder.put("user_search.pool.size", randomIntBetween(10, 100));
builder.put("user_search.pool.initial_size", randomIntBetween(1, 10));

View File

@ -17,6 +17,7 @@ import org.elasticsearch.action.support.PlainActionFuture;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.ThreadContext;
@ -43,7 +44,6 @@ import static org.hamcrest.Matchers.hasItem;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.isEmptyString;
import static org.hamcrest.Matchers.notNullValue;
import static org.hamcrest.Matchers.nullValue;
public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
@ -75,14 +75,21 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
}
public void testSupportsUnauthenticatedSessions() throws Exception {
RealmConfig config = new RealmConfig("ldap_realm", Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, "", LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", "")
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.attribute", "cn")
.put("user_search.pool.enabled", randomBoolean())
.build(), globalSettings, new Environment(globalSettings), new ThreadContext(globalSettings));
final boolean useAttribute = randomBoolean();
Settings.Builder builder = Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, "", LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", "")
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.pool.enabled", randomBoolean());
if (useAttribute) {
builder.put("user_search.attribute", "cn");
} else {
builder.put("user_search.filter", "(cn={0})");
}
RealmConfig config = new RealmConfig("ldap_realm", builder.build(), globalSettings, new Environment(globalSettings),
new ThreadContext(globalSettings));
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, sslService);
try {
@ -90,20 +97,30 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
} finally {
sessionFactory.shutdown();
}
if (useAttribute) {
assertSettingDeprecationsAndWarnings(new Setting[] { LdapUserSearchSessionFactory.SEARCH_ATTRIBUTE });
}
}
public void testUserSearchSubTree() throws Exception {
String groupSearchBase = "o=sevenSeas";
String userSearchBase = "o=sevenSeas";
RealmConfig config = new RealmConfig("ldap_realm", Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.attribute", "cn")
.put("user_search.pool.enabled", randomBoolean())
.build(), globalSettings, new Environment(globalSettings), new ThreadContext(globalSettings));
final boolean useAttribute = randomBoolean();
Settings.Builder builder = Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.pool.enabled", randomBoolean());
if (useAttribute) {
builder.put("user_search.attribute", "cn");
} else {
builder.put("user_search.filter", "(cn={0})");
}
RealmConfig config = new RealmConfig("ldap_realm", builder.build(), globalSettings, new Environment(globalSettings),
new ThreadContext(globalSettings));
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, sslService);
@ -125,21 +142,31 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
} finally {
sessionFactory.shutdown();
}
if (useAttribute) {
assertSettingDeprecationsAndWarnings(new Setting[] { LdapUserSearchSessionFactory.SEARCH_ATTRIBUTE });
}
}
public void testUserSearchBaseScopeFailsWithWrongBaseDN() throws Exception {
String groupSearchBase = "o=sevenSeas";
String userSearchBase = "o=sevenSeas";
RealmConfig config = new RealmConfig("ldap_realm", Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.scope", LdapSearchScope.BASE)
.put("user_search.attribute", "cn")
.put("user_search.pool.enabled", randomBoolean())
.build(), globalSettings, new Environment(globalSettings), new ThreadContext(globalSettings));
final boolean useAttribute = randomBoolean();
Settings.Builder builder = Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.scope", LdapSearchScope.BASE)
.put("user_search.pool.enabled", randomBoolean());
if (useAttribute) {
builder.put("user_search.attribute", "cn");
} else {
builder.put("user_search.filter", "(cn={0})");
}
RealmConfig config = new RealmConfig("ldap_realm", builder.build(), globalSettings, new Environment(globalSettings),
new ThreadContext(globalSettings));
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, sslService);
@ -152,21 +179,31 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
} finally {
sessionFactory.shutdown();
}
if (useAttribute) {
assertSettingDeprecationsAndWarnings(new Setting[] { LdapUserSearchSessionFactory.SEARCH_ATTRIBUTE });
}
}
public void testUserSearchBaseScopePassesWithCorrectBaseDN() throws Exception {
String groupSearchBase = "o=sevenSeas";
String userSearchBase = "cn=William Bush,ou=people,o=sevenSeas";
RealmConfig config = new RealmConfig("ldap_realm", Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.scope", LdapSearchScope.BASE)
.put("user_search.attribute", "cn")
.put("user_search.pool.enabled", randomBoolean())
.build(), globalSettings, new Environment(globalSettings), new ThreadContext(globalSettings));
Settings.Builder builder = Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.scope", LdapSearchScope.BASE)
.put("user_search.pool.enabled", randomBoolean());
final boolean useAttribute = randomBoolean();
if (useAttribute) {
builder.put("user_search.attribute", "cn");
} else {
builder.put("user_search.filter", "(cn={0})");
}
RealmConfig config = new RealmConfig("ldap_realm", builder.build(), globalSettings, new Environment(globalSettings),
new ThreadContext(globalSettings));
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, sslService);
@ -188,21 +225,31 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
} finally {
sessionFactory.shutdown();
}
if (useAttribute) {
assertSettingDeprecationsAndWarnings(new Setting[] { LdapUserSearchSessionFactory.SEARCH_ATTRIBUTE });
}
}
public void testUserSearchOneLevelScopeFailsWithWrongBaseDN() throws Exception {
String groupSearchBase = "o=sevenSeas";
String userSearchBase = "o=sevenSeas";
RealmConfig config = new RealmConfig("ldap_realm", Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.scope", LdapSearchScope.ONE_LEVEL)
.put("user_search.attribute", "cn")
.put("user_search.pool.enabled", randomBoolean())
.build(), globalSettings, new Environment(globalSettings), new ThreadContext(globalSettings));
Settings.Builder builder = Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.scope", LdapSearchScope.ONE_LEVEL)
.put("user_search.pool.enabled", randomBoolean());
final boolean useAttribute = randomBoolean();
if (useAttribute) {
builder.put("user_search.attribute", "cn");
} else {
builder.put("user_search.filter", "(cn={0})");
}
RealmConfig config = new RealmConfig("ldap_realm", builder.build(), globalSettings, new Environment(globalSettings),
new ThreadContext(globalSettings));
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, sslService);
@ -215,21 +262,31 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
} finally {
sessionFactory.shutdown();
}
if (useAttribute) {
assertSettingDeprecationsAndWarnings(new Setting[] { LdapUserSearchSessionFactory.SEARCH_ATTRIBUTE });
}
}
public void testUserSearchOneLevelScopePassesWithCorrectBaseDN() throws Exception {
String groupSearchBase = "o=sevenSeas";
String userSearchBase = "ou=people,o=sevenSeas";
RealmConfig config = new RealmConfig("ldap_realm", Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.scope", LdapSearchScope.ONE_LEVEL)
.put("user_search.attribute", "cn")
.put("user_search.pool.enabled", randomBoolean())
.build(), globalSettings, new Environment(globalSettings), new ThreadContext(globalSettings));
Settings.Builder builder = Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.scope", LdapSearchScope.ONE_LEVEL)
.put("user_search.pool.enabled", randomBoolean());
final boolean useAttribute = randomBoolean();
if (useAttribute) {
builder.put("user_search.attribute", "cn");
} else {
builder.put("user_search.filter", "(cn={0})");
}
RealmConfig config = new RealmConfig("ldap_realm", builder.build(), globalSettings, new Environment(globalSettings),
new ThreadContext(globalSettings));
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, sslService);
@ -251,20 +308,30 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
} finally {
sessionFactory.shutdown();
}
if (useAttribute) {
assertSettingDeprecationsAndWarnings(new Setting[] { LdapUserSearchSessionFactory.SEARCH_ATTRIBUTE });
}
}
public void testUserSearchWithBadAttributeFails() throws Exception {
String groupSearchBase = "o=sevenSeas";
String userSearchBase = "o=sevenSeas";
RealmConfig config = new RealmConfig("ldap_realm", Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.attribute", "uid1")
.put("user_search.pool.enabled", randomBoolean())
.build(), globalSettings, new Environment(globalSettings), new ThreadContext(globalSettings));
Settings.Builder builder = Settings.builder()
.put(buildLdapSettings(ldapUrls(), Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("user_search.base_dn", userSearchBase)
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.pool.enabled", randomBoolean());
final boolean useAttribute = randomBoolean();
if (useAttribute) {
builder.put("user_search.attribute", "uid1");
} else {
builder.put("user_search.filter", "(uid1={0})");
}
RealmConfig config = new RealmConfig("ldap_realm", builder.build(), globalSettings, new Environment(globalSettings),
new ThreadContext(globalSettings));
LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, sslService);
@ -277,6 +344,10 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
} finally {
sessionFactory.shutdown();
}
if (useAttribute) {
assertSettingDeprecationsAndWarnings(new Setting[] { LdapUserSearchSessionFactory.SEARCH_ATTRIBUTE });
}
}
public void testUserSearchWithoutAttributePasses() throws Exception {
@ -551,5 +622,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
searchSessionFactory.shutdown();
}
}
assertSettingDeprecationsAndWarnings(new Setting[] { LdapUserSearchSessionFactory.SEARCH_ATTRIBUTE });
}
}