honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ldap: Adds debugging statements and documentation 

This adds debugging statements and debugging documentation to help troubleshoot problems with ldap role establishment.  This also adds ldap profiles for esvm

Original commit: elastic/x-pack-elasticsearch@a1f1cbd830
This commit is contained in:
c-a-m 2014-11-05 12:48:02 -07:00
parent eaf6636c07
commit e526065156
8 changed files with 122 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.esvm-shield-config/role_mapping.yml Normal file
View File

@ -0,0 +1,3 @@
admin:
- "CN=SHIELD,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"
- "cn=SHIELD,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com"

54
.esvmrc_active_dir Normal file
View File

@ -0,0 +1,54 @@
{
"defaults": {
"plugins": [ "lmenezes/elasticsearch-kopf", { "name": "shield", "path" : "file:./target/releases/elasticsearch-shield-1.0.0-SNAPSHOT.zip" } ],
"config" : {
"cluster": { "name": "shield" },
"indices.store.throttle.max_bytes_per_sec": "100mb",
"discovery" : {
"type" : "zen",
"zen.ping.multicast.enabled": false,
"zen.ping.unicast.hosts" : [ "localhost:9300", "localhost:9301" ]
},
"shield" : {
"enabled" : true,
"system_key.file": ".esvm-shield-config/system_key",
"audit.enabled" : false,
"transport.ssl": true,
"http.ssl": true,
"ssl" : {
"keystore" : "src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks",
"keystore_password" : "testnode",
"truststore" : "src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks",
"truststore_password" : "testnode"
},
"authc": {
"esusers.files" : {
"users" : ".esvm-shield-config/users",
"users_roles" : ".esvm-shield-config/users_roles"
},
"ldap" : {
"mode" : "active_directory",
"domain_name" : "ad.test.elasticsearch.com",
"url" : "ldaps://ad.test.elasticsearch.com:636",
"truststore" : "src/test/resources/org/elasticsearch/shield/authc/ldap/ldaptrust.jks",
"truststore_password" : "changeit",
"unmapped_groups_as_roles" : "false",
"files" : {
"role_mapping": ".esvm-shield-config/role_mapping.yml"
}
}
},
"authz.store.files.roles" : ".esvm-shield-config/roles.yml"
}
}
},
"clusters": {
"shield": {
"version": "1.4",
"nodes": [
{ "node": { "name": "node01" } },
{ "node": { "name": "node02" } }
]
}
}
}

52
.esvmrc_open_ldap Normal file
View File

@ -0,0 +1,52 @@
{
"defaults": {
"plugins": [ "lmenezes/elasticsearch-kopf", { "name": "shield", "path" : "file:./target/releases/elasticsearch-shield-1.0.0-SNAPSHOT.zip" } ],
"config" : {
"cluster": { "name": "shield" },
"indices.store.throttle.max_bytes_per_sec": "100mb",
"discovery" : {
"type" : "zen",
"zen.ping.multicast.enabled": false,
"zen.ping.unicast.hosts" : [ "localhost:9300", "localhost:9301" ]
},
"shield" : {
"enabled" : true,
"system_key.file": ".esvm-shield-config/system_key",
"audit.enabled" : false,
"transport.ssl": true,
"http.ssl": true,
"ssl" : {
"keystore" : "src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks",
"keystore_password" : "testnode",
"truststore" : "src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks",
"truststore_password" : "testnode"
},
"authc": {
"ldap" : {
"mode" : "ldap",
"url" : "ldaps://54.200.235.244:636",
"user_dn_templates": ["uid={0},ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com"],
"group_search.group_search_dn" : "ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com",
"group_search.subtree_search" : false,
"truststore" : "src/test/resources/org/elasticsearch/shield/authc/ldap/ldaptrust.jks",
"truststore_password" : "changeit",
"unmapped_groups_as_roles" : "false",
"files" : {
"role_mapping": ".esvm-shield-config/role_mapping.yml"
}
}
},
"authz.store.files.roles" : ".esvm-shield-config/roles.yml"
}
}
},
"clusters": {
"shield": {
"version": "1.4",
"nodes": [
{ "node": { "name": "node01" } },
{ "node": { "name": "node02" } }
]
}
}
}

2
src/main/java/org/elasticsearch/shield/authc/ldap/ActiveDirectoryConnectionFactory.java
View File

@ -87,7 +87,7 @@ public class ActiveDirectoryConnectionFactory extends AbstractComponent implemen
String name = entry.getNameInNamespace();
if (!results.hasMore()) {
//searchByAttribute=true, group subtree search=false, groupSubtreeDN=null
//isFindGroupsByAttribute=true, group subtree search=false, groupSubtreeDN=null
return new LdapConnection(ctx, name, true, false, null);
}
throw new LdapException("Search for user [" + userName + "] by principle name yielded multiple results");

8
src/main/java/org/elasticsearch/shield/authc/ldap/LdapConnection.java
View File

@ -5,6 +5,9 @@
*/
package org.elasticsearch.shield.authc.ldap;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.ESLoggerFactory;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.*;
@ -27,6 +30,7 @@ import java.util.Map;
*/
public class LdapConnection implements Closeable {
private static final ESLogger logger = ESLoggerFactory.getLogger(LdapConnection.class.getName());
private final String bindDn;
private final DirContext ldapContext;
@ -63,7 +67,9 @@ public class LdapConnection implements Closeable {
* @return List of group membership
*/
public List<String> getGroups(){
return isFindGroupsByAttribute ? getGroupsFromUserAttrs(bindDn) : getGroupsFromSearch(bindDn);
List<String> groups = isFindGroupsByAttribute ? getGroupsFromUserAttrs(bindDn) : getGroupsFromSearch(bindDn);
logger.debug("Found these groups [{}] for userDN [{}]", groups, this.bindDn );
return groups;
}
/**

1
src/main/java/org/elasticsearch/shield/authc/ldap/LdapGroupToRoleMapper.java
View File

@ -124,6 +124,7 @@ public class LdapGroupToRoleMapper extends AbstractComponent {
roles.add(getRelativeName(groupLdapName));
}
}
logger.debug("The roles [{}], are mapped from these LDAP groups [{}]", roles, groupDns);
return roles;
}

1
src/main/java/org/elasticsearch/shield/authc/ldap/LdapSslSocketFactory.java
View File

@ -112,6 +112,7 @@ public class LdapSslSocketFactory extends SocketFactory {
builder.put(JAVA_NAMING_LDAP_FACTORY_SOCKET, LdapSslSocketFactory.class.getName());
} else {
logger.warn("LdapSslSocketFactory not used for LDAP connections");
logger.debug("LdapSslSocketFactory: secureProtocol = [{}], instance != null [{}]", secureProtocol, instance != null);
}
}
}

3
src/main/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.java
View File

@ -91,6 +91,7 @@ public abstract class CachingUsernamePasswordRealm extends AbstractComponent imp
Callable<UserWithHash> callback = new Callable<UserWithHash>() {
@Override
public UserWithHash call() throws Exception {
logger.debug("User not found in cache, proceeding with normal authentication");
User user = doAuthenticate(token);
if (user == null) {
throw new AuthenticationException("Could not authenticate [" + token.principal() + "]");
@ -102,11 +103,13 @@ public abstract class CachingUsernamePasswordRealm extends AbstractComponent imp
try {
UserWithHash userWithHash = cache.get(token.principal(), callback);
if (userWithHash.verify(token.credentials())) {
logger.debug("Authenticated user [{}], with roles [{}]", token.principal(), userWithHash.user.roles());
return userWithHash.user;
}
//this handles when a user's password has changed:
expire(token.principal());
userWithHash = cache.get(token.principal(), callback);
logger.debug("Cached user's password changed. Authenticated user [{}], with roles [{}]", token.principal(), userWithHash.user.roles());
return userWithHash.user;
} catch (ExecutionException | UncheckedExecutionException ee) {