From e5260651560432e5e9d5559db917aa95f25f15f2 Mon Sep 17 00:00:00 2001 From: c-a-m Date: Wed, 5 Nov 2014 12:48:02 -0700 Subject: [PATCH] ldap: Adds debugging statements and documentation This adds debugging statements and debugging documentation to help troubleshoot problems with ldap role establishment. This also adds ldap profiles for esvm Original commit: elastic/x-pack-elasticsearch@a1f1cbd83043bc53d4f0c792a1d0427bf9c2d713 --- .esvm-shield-config/role_mapping.yml | 3 ++ .esvmrc_active_dir | 54 +++++++++++++++++++ .esvmrc_open_ldap | 52 ++++++++++++++++++ .../ActiveDirectoryConnectionFactory.java | 2 +- .../shield/authc/ldap/LdapConnection.java | 8 ++- .../authc/ldap/LdapGroupToRoleMapper.java | 1 + .../authc/ldap/LdapSslSocketFactory.java | 1 + .../support/CachingUsernamePasswordRealm.java | 3 ++ 8 files changed, 122 insertions(+), 2 deletions(-) create mode 100644 .esvm-shield-config/role_mapping.yml create mode 100644 .esvmrc_active_dir create mode 100644 .esvmrc_open_ldap diff --git a/.esvm-shield-config/role_mapping.yml b/.esvm-shield-config/role_mapping.yml new file mode 100644 index 00000000000..2dade9023d6 --- /dev/null +++ b/.esvm-shield-config/role_mapping.yml @@ -0,0 +1,3 @@ +admin: + - "CN=SHIELD,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com" + - "cn=SHIELD,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com" diff --git a/.esvmrc_active_dir b/.esvmrc_active_dir new file mode 100644 index 00000000000..4aadb7f30f4 --- /dev/null +++ b/.esvmrc_active_dir @@ -0,0 +1,54 @@ +{ + "defaults": { + "plugins": [ "lmenezes/elasticsearch-kopf", { "name": "shield", "path" : "file:./target/releases/elasticsearch-shield-1.0.0-SNAPSHOT.zip" } ], + "config" : { + "cluster": { "name": "shield" }, + "indices.store.throttle.max_bytes_per_sec": "100mb", + "discovery" : { + "type" : "zen", + "zen.ping.multicast.enabled": false, + "zen.ping.unicast.hosts" : [ "localhost:9300", "localhost:9301" ] + }, + "shield" : { + "enabled" : true, + "system_key.file": ".esvm-shield-config/system_key", + "audit.enabled" : false, + "transport.ssl": true, + "http.ssl": true, + "ssl" : { + "keystore" : "src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", + "keystore_password" : "testnode", + "truststore" : "src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", + "truststore_password" : "testnode" + }, + "authc": { + "esusers.files" : { + "users" : ".esvm-shield-config/users", + "users_roles" : ".esvm-shield-config/users_roles" + }, + "ldap" : { + "mode" : "active_directory", + "domain_name" : "ad.test.elasticsearch.com", + "url" : "ldaps://ad.test.elasticsearch.com:636", + "truststore" : "src/test/resources/org/elasticsearch/shield/authc/ldap/ldaptrust.jks", + "truststore_password" : "changeit", + "unmapped_groups_as_roles" : "false", + "files" : { + "role_mapping": ".esvm-shield-config/role_mapping.yml" + } + } + }, + "authz.store.files.roles" : ".esvm-shield-config/roles.yml" + } + } + }, + "clusters": { + "shield": { + "version": "1.4", + "nodes": [ + { "node": { "name": "node01" } }, + { "node": { "name": "node02" } } + ] + } + } +} diff --git a/.esvmrc_open_ldap b/.esvmrc_open_ldap new file mode 100644 index 00000000000..27908986c2b --- /dev/null +++ b/.esvmrc_open_ldap @@ -0,0 +1,52 @@ +{ + "defaults": { + "plugins": [ "lmenezes/elasticsearch-kopf", { "name": "shield", "path" : "file:./target/releases/elasticsearch-shield-1.0.0-SNAPSHOT.zip" } ], + "config" : { + "cluster": { "name": "shield" }, + "indices.store.throttle.max_bytes_per_sec": "100mb", + "discovery" : { + "type" : "zen", + "zen.ping.multicast.enabled": false, + "zen.ping.unicast.hosts" : [ "localhost:9300", "localhost:9301" ] + }, + "shield" : { + "enabled" : true, + "system_key.file": ".esvm-shield-config/system_key", + "audit.enabled" : false, + "transport.ssl": true, + "http.ssl": true, + "ssl" : { + "keystore" : "src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", + "keystore_password" : "testnode", + "truststore" : "src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", + "truststore_password" : "testnode" + }, + "authc": { + "ldap" : { + "mode" : "ldap", + "url" : "ldaps://54.200.235.244:636", + "user_dn_templates": ["uid={0},ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com"], + "group_search.group_search_dn" : "ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com", + "group_search.subtree_search" : false, + "truststore" : "src/test/resources/org/elasticsearch/shield/authc/ldap/ldaptrust.jks", + "truststore_password" : "changeit", + "unmapped_groups_as_roles" : "false", + "files" : { + "role_mapping": ".esvm-shield-config/role_mapping.yml" + } + } + }, + "authz.store.files.roles" : ".esvm-shield-config/roles.yml" + } + } + }, + "clusters": { + "shield": { + "version": "1.4", + "nodes": [ + { "node": { "name": "node01" } }, + { "node": { "name": "node02" } } + ] + } + } +} diff --git a/src/main/java/org/elasticsearch/shield/authc/ldap/ActiveDirectoryConnectionFactory.java b/src/main/java/org/elasticsearch/shield/authc/ldap/ActiveDirectoryConnectionFactory.java index 35cbdf2b27b..c2088f6db18 100644 --- a/src/main/java/org/elasticsearch/shield/authc/ldap/ActiveDirectoryConnectionFactory.java +++ b/src/main/java/org/elasticsearch/shield/authc/ldap/ActiveDirectoryConnectionFactory.java @@ -87,7 +87,7 @@ public class ActiveDirectoryConnectionFactory extends AbstractComponent implemen String name = entry.getNameInNamespace(); if (!results.hasMore()) { - //searchByAttribute=true, group subtree search=false, groupSubtreeDN=null + //isFindGroupsByAttribute=true, group subtree search=false, groupSubtreeDN=null return new LdapConnection(ctx, name, true, false, null); } throw new LdapException("Search for user [" + userName + "] by principle name yielded multiple results"); diff --git a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapConnection.java b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapConnection.java index 9ea63587d2b..b44121be7ab 100644 --- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapConnection.java +++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapConnection.java @@ -5,6 +5,9 @@ */ package org.elasticsearch.shield.authc.ldap; +import org.elasticsearch.common.logging.ESLogger; +import org.elasticsearch.common.logging.ESLoggerFactory; + import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.*; @@ -27,6 +30,7 @@ import java.util.Map; */ public class LdapConnection implements Closeable { + private static final ESLogger logger = ESLoggerFactory.getLogger(LdapConnection.class.getName()); private final String bindDn; private final DirContext ldapContext; @@ -63,7 +67,9 @@ public class LdapConnection implements Closeable { * @return List of group membership */ public List getGroups(){ - return isFindGroupsByAttribute ? getGroupsFromUserAttrs(bindDn) : getGroupsFromSearch(bindDn); + List groups = isFindGroupsByAttribute ? getGroupsFromUserAttrs(bindDn) : getGroupsFromSearch(bindDn); + logger.debug("Found these groups [{}] for userDN [{}]", groups, this.bindDn ); + return groups; } /** diff --git a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapGroupToRoleMapper.java b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapGroupToRoleMapper.java index e972093eb88..99bbc59a124 100644 --- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapGroupToRoleMapper.java +++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapGroupToRoleMapper.java @@ -124,6 +124,7 @@ public class LdapGroupToRoleMapper extends AbstractComponent { roles.add(getRelativeName(groupLdapName)); } } + logger.debug("The roles [{}], are mapped from these LDAP groups [{}]", roles, groupDns); return roles; } diff --git a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapSslSocketFactory.java b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapSslSocketFactory.java index 123a3dc342a..eda37096e55 100644 --- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapSslSocketFactory.java +++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapSslSocketFactory.java @@ -112,6 +112,7 @@ public class LdapSslSocketFactory extends SocketFactory { builder.put(JAVA_NAMING_LDAP_FACTORY_SOCKET, LdapSslSocketFactory.class.getName()); } else { logger.warn("LdapSslSocketFactory not used for LDAP connections"); + logger.debug("LdapSslSocketFactory: secureProtocol = [{}], instance != null [{}]", secureProtocol, instance != null); } } } diff --git a/src/main/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.java b/src/main/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.java index 4318ecbec56..69afd6fda1e 100644 --- a/src/main/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.java +++ b/src/main/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.java @@ -91,6 +91,7 @@ public abstract class CachingUsernamePasswordRealm extends AbstractComponent imp Callable callback = new Callable() { @Override public UserWithHash call() throws Exception { + logger.debug("User not found in cache, proceeding with normal authentication"); User user = doAuthenticate(token); if (user == null) { throw new AuthenticationException("Could not authenticate [" + token.principal() + "]"); @@ -102,11 +103,13 @@ public abstract class CachingUsernamePasswordRealm extends AbstractComponent imp try { UserWithHash userWithHash = cache.get(token.principal(), callback); if (userWithHash.verify(token.credentials())) { + logger.debug("Authenticated user [{}], with roles [{}]", token.principal(), userWithHash.user.roles()); return userWithHash.user; } //this handles when a user's password has changed: expire(token.principal()); userWithHash = cache.get(token.principal(), callback); + logger.debug("Cached user's password changed. Authenticated user [{}], with roles [{}]", token.principal(), userWithHash.user.roles()); return userWithHash.user; } catch (ExecutionException | UncheckedExecutionException ee) {