ldap: Changed default ldap behaviours
Changed URL default to ldaps and port 636. No mode now defaults to ldap. Added miscelleneous documentation for active directory. Incorrect mode now throws an exception Original commit: elastic/x-pack-elasticsearch@0239380668
This commit is contained in:
c-a-m
parent
490409d7eb
commit
547756f0c8
|
|
@ -34,6 +34,7 @@ public class ActiveDirectoryConnectionFactory extends AbstractComponent implemen
|
|||
public static final String AD_DOMAIN_NAME_SETTING = "domain_name";
|
||||
public static final String AD_PORT = "default_port";
|
||||
public static final String AD_USER_SEARCH_BASEDN_SETTING = "user_search_dn";
|
||||
static final String MODE_NAME = "active_directory";
|
||||
|
||||
private final ImmutableMap<String, Serializable> sharedLdapEnv;
|
||||
private final String userSearchDN;
|
||||
|
|
@ -47,8 +48,9 @@ public class ActiveDirectoryConnectionFactory extends AbstractComponent implemen
|
|||
throw new ShieldException("Missing [" + AD_DOMAIN_NAME_SETTING + "] setting for active directory");
|
||||
}
|
||||
userSearchDN = componentSettings.get(AD_USER_SEARCH_BASEDN_SETTING, buildDnFromDomain(domainName));
|
||||
int port = componentSettings.getAsInt(AD_PORT, 389);
|
||||
String[] ldapUrls = componentSettings.getAsArray(URLS_SETTING, new String[] { "ldap://" + domainName + ":" + port });
|
||||
int port = componentSettings.getAsInt(AD_PORT, 636);
|
||||
String protocol = port == 389 ? "ldap://" : "ldaps://";
|
||||
String[] ldapUrls = componentSettings.getAsArray(URLS_SETTING, new String[] { protocol + domainName + ":" + port });
|
||||
|
||||
ImmutableMap.Builder<String, Serializable> builder = ImmutableMap.<String, Serializable>builder()
|
||||
.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ package org.elasticsearch.shield.authc.ldap;
|
|||
|
||||
import org.elasticsearch.common.inject.util.Providers;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.shield.ShieldSettingsException;
|
||||
import org.elasticsearch.shield.authc.Realm;
|
||||
import org.elasticsearch.shield.support.AbstractShieldModule;
|
||||
|
||||
|
|
@ -16,7 +17,6 @@ import static org.elasticsearch.common.inject.name.Names.named;
|
|||
* Configures Ldap object injections
|
||||
*/
|
||||
public class LdapModule extends AbstractShieldModule.Node {
|
||||
|
||||
private final boolean enabled;
|
||||
|
||||
public LdapModule(Settings settings) {
|
||||
|
|
@ -34,14 +34,17 @@ public class LdapModule extends AbstractShieldModule.Node {
|
|||
|
||||
bind(Realm.class).annotatedWith(named(LdapRealm.TYPE)).to(LdapRealm.class).asEagerSingleton();
|
||||
bind(LdapGroupToRoleMapper.class).asEagerSingleton();
|
||||
String mode = settings.getComponentSettings(LdapModule.class).get("mode", "ldap");
|
||||
if ("ldap".equals(mode)) {
|
||||
String mode = settings.getComponentSettings(LdapModule.class).get("mode", StandardLdapConnectionFactory.MODE_NAME);
|
||||
if (StandardLdapConnectionFactory.MODE_NAME.equals(mode)) {
|
||||
bind(LdapConnectionFactory.class).to(StandardLdapConnectionFactory.class);
|
||||
} else {
|
||||
} else if (ActiveDirectoryConnectionFactory.MODE_NAME.equals(mode)) {
|
||||
bind(LdapConnectionFactory.class).to(ActiveDirectoryConnectionFactory.class);
|
||||
} else {
|
||||
throw new ShieldSettingsException("LDAP is enabled but mode [" + mode + "] does not match [" +
|
||||
StandardLdapConnectionFactory.MODE_NAME + "] or [" + ActiveDirectoryConnectionFactory.MODE_NAME +"]");
|
||||
}
|
||||
} else {
|
||||
bind(LdapRealm.class).toProvider(Providers.of((LdapRealm) null));
|
||||
bind(LdapRealm.class).toProvider(Providers.<LdapRealm>of(null));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -29,10 +29,10 @@ import java.util.Hashtable;
|
|||
* for each user context would need to be supplied.
|
||||
*/
|
||||
public class StandardLdapConnectionFactory extends AbstractComponent implements LdapConnectionFactory {
|
||||
|
||||
public static final String USER_DN_TEMPLATES_SETTING = "user_dn_templates";
|
||||
public static final String GROUP_SEARCH_SUBTREE_SETTING = "group_search.subtree_search";
|
||||
public static final String GROUP_SEARCH_BASEDN_SETTING = "group_search.group_search_dn";
|
||||
static final String MODE_NAME = "ldap";
|
||||
|
||||
private final ImmutableMap<String, Serializable> sharedLdapEnv;
|
||||
private final String[] userDnTemplates;
|
||||
|
|
|
|||
|
|
@ -74,7 +74,6 @@ public abstract class ShieldIntegrationTest extends ElasticsearchIntegrationTest
|
|||
.put("shield.transport.n2n.ip_filter.file", writeFile(folder, "ip_filter.yml", CONFIG_IPFILTER_ALLOW_ALL))
|
||||
.put(getSSLSettingsForStore("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", "testnode"))
|
||||
.put("shield.audit.enabled", true)
|
||||
.put(getSSLSettingsForLdap("/org/elasticsearch/shield/authc/ldap/ldaptrust.jks", "changeit"))
|
||||
.put("plugins.load_classpath_plugins", false);
|
||||
|
||||
if (OsUtils.MAC) {
|
||||
|
|
@ -152,22 +151,6 @@ public abstract class ShieldIntegrationTest extends ElasticsearchIntegrationTest
|
|||
return builder.build();
|
||||
}
|
||||
|
||||
protected Settings getSSLSettingsForLdap(String resourcePathToStore, String password) {
|
||||
File store;
|
||||
try {
|
||||
store = new File(getClass().getResource(resourcePathToStore).toURI());
|
||||
assertThat(store.exists(), is(true));
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
|
||||
ImmutableSettings.Builder builder = settingsBuilder()
|
||||
.put("shield.authc.ldap.truststore_password", password)
|
||||
.put("shield.authc.ldap.truststore", store.getPath());
|
||||
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
protected File newFolder() {
|
||||
try {
|
||||
return tmpFolder.newFolder();
|
||||
|
|
|
|||
Loading…
Reference in New Issue