Using LDAP to authenticate users

2022年12月2日   |   by mebius

Credentials are needed to access Elasticsearch clusters if security is set.Credentials can be standard user/passwords stored inside Elasticsearch, or more complex solutions such as Active Directory and Lightweight Directory Access Protocol (LDAP) can be used.

You can configure the Elastic Stack security features to communicate with an LDAPserver to authenticate users.LDAP stores users and groups hierarchically, similar to the way folders are grouped in a file system. An LDAP directory’s hierarchy is built from containers such as theorganizational unit(ou),organization(o), anddomain controller(dc).

The path to an entry is aDistinguished Name(DN) that uniquely identifies a user or group. User and group names typically have attributes such as acommon name(cn) orunique ID(uid). A DN is specified as a string, for example"cn=admin,dc=example,dc=com"(white spaces are ignored).

Theldaprealm supports two modes of operation, a user search mode and a mode with specific templates for user DNs.

Introduction to LDAP

The full name of LDAP is Lightweight Directory Access Protocol, Lightweight Directory Access Protocol. Simply put, LDAP is a protocol for accessing directory databases. Directory service data is also a kind of database. Compared with the well-known relational databases, such as MySQL and Oracle, this kind of database has only the following characteristics:

  • It organizes data in a tree structure, similar to a file directory
  • It is a database optimized for querying, browsing and searching, which means that LDAP is particularly readable, but the writing performance is poor, and it does not support transaction processing, rollback and other responsible functions

LDAP directory structure:

%title插图%num

  1. Target tree: as shown in the figure above, in a directory server, the entire directory information set can be expressed as a directory information tree, and each node in the tree is an entry.
  2. Entry: each entry is a record, and each entry has its own uniquely distinguishedname (DN). For example, each circle in the figure is a record.
  3. DN, RDN: for example, the first leaf entry in the above figure has a uniquely distinguishedname DN: uid=bob,ou=people,dc=acme,dc=org. Absolute paths are similar to relative paths for file directories. In addition to its DN, it also has an RDN. RDN has nothing to do with the directory structure, such as uid=bob,ou=people,dc=acme,dc=org mentioned earlier, its RDN is uid=bob.
  4. Attribute: describe the specific information of the item. For example, ‘uid=bill,ou=people,dc=acme,dc=org‘, it has attribute name as bill, attribute age as 11, attribute school as xx:

%title插图%num

In this article, Elastic Stack 8.3.3 will be used for the demo, and the whole configuration to be used is as follows:

%title插图%num

As shown above, two machines are used. One Ubuntu OS machine is used for installing the Elastic Stack, and the other one is used for installing the Apache Directory.

Installations

As shown in above configuration, Elastic Stack and Apache Directory are needed to to be installed.

Elastic Stack

If you have not installed Elasticsearch and Kibanayet, please refer to our official guides:

According to Elastic’s subscription atSubscriptions | Elastic Stack Products & Support | Elastic, LDAP is a feature to buy:

%title插图%num

After installing Elasticsearch and Kibana, we need to activate the trial license as follows:

%title插图%num

Apache Directory

Apache Directory Studio is a complete directory tools platform designed to work with any LDAP server, but it is specifically designed for use with ApacheDS. It is an Eclipse RCP application consisting of several Eclipse (OSGi) plug-ins that can be easily upgraded with other plug-ins. These plug-ins can even run within Eclipse itself. We can go to the address Downloads — Apache Directory to download and install according to your own platform:

%title插图%num

We then need to use ApacheDS to create some users and groups as follows.We create the following ou under dc=example,dc=com:

  • groups: This is a group that contains cn=user1 and cn=user2 entries. If you want to know how to create a group, please refer to the document “Preparing the LDAP environment“.

%title插图%num

  • users: This is an ou. It contains some user information. If you want to know how to create a user, please read the article “Preparing the LDAP environment“.

%title插图%num

  • usrs: This is an ou.It is used by the groups group:

%title插图%num

For each entry above, we set the uid and userPassword for it. For simplicity, in our case, set them all to 123456 as password。

In order to verify the correctness of a DN and user, we can use the following command to verify:

ldapsearch -x -D "cn=liuxg,ou=users,dc=example,dc=com"
       -W -H ldap://ubuntu:10389 -b "dc=example,doc=com"
       -s sub '(sAMAccountName=liuxg)'

where “ubuntu” is the hostname for the Apache Directory machine. The response is as follows:

$ ldapsearch -x -D "cn=liuxg,ou=users,dc=example,dc=com"
>        -W -H ldap://ubuntu:10389 -b "dc=example,doc=com"
>        -s sub '(sAMAccountName=liuxg)'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (sAMAccountName=liuxg)
# requesting: ALL
#
 
# search result
search: 2
result: 32 No such object
text: NO_SUCH_OBJECT: failed for MessageType : SEARCH_REQUEST
Message ID : 2
 
     SearchRequest
        baseDn : 'dc=example,doc=com'
        filter : '(|
 (sAMAccountName=liuxg)(objectClass=referral))'
        scope : whole subtree
 
        typesOnly : false
        Size Limit : no limit
        Time Limit 
 : no limit
        Deref Aliases : never Deref Aliases
        attributetgcodes : 
 
org.apache.directory.api.ldap.model.message.SearchRequestImpl@430edd43: ERR
 _268 Cannot find a partition for dc=example,doc=com
 
# numResponses: 1

In the above, we enter the password for liuxgaccount. If you see the outputs as shown above, it means that your DN works well.

Configure the ldap realm with user search

The ldap realm supports two modes of operation, a user search mode and a mode that provides specific templates for user DNs. LDAP user search is the most common mode of operation. In this mode, a specific user with permission to search the LDAP directory is used to search for the DN of the authenticating user based on the supplied username and LDAP attributes. Once found, the user is authenticated by attempting to bind to the LDAP server using the found DN and the provided password.

We first open the Elasticsearch configuration file config/elasticsearch.yml file:

config/elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        ldap:
          ldap1:
            order: 0
            url: "ldap://ubuntu:10389"
            bind_dn: "ou=users,dc=example,dc=com"
            bind_password: "123456"
            user_search:
              base_dn: "dc=example,dc=com"
              filter: "(cn={0})"
            group_search:
              base_dn: "ou=groups,dc=example,dc=com"
            files:
              role_mapping: "/Users/liuxg/elastic/elasticsearch-8.3.3/config/role_mapping.yml"
            unmapped_groups_as_roles: false

We add the above code at the end of the file. The url needs to be configured according to your actual installation. The set password is 123456, which is configured inApacheDS. Many people may think that it is not a good idea to configure plaintext passwords in elasticsearch.yml above. We can use the following command to add the bind_dn(as shown above) password to the Elasticsearch keystore:

bin/elasticsearch-keystore add xpack.security.authc.realms.ldap.ldap1.secure_bind_passwortgcoded

Once we configure it like this, then I don’t need to configure it in elasticsearch.yml, andwe can directly remove the bind_dn line.

We need to modify the above role_mapping configuration according to our Elasticsearch installation path.

role_mapping.yml

# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names
 
#roleA:   this is an elasticsearch role
#  - groupA-DN  this is a group distinguished name
#  - groupB-DN
#  - user1-DN   this is the full user distinguished name
 
superuser:
  - "cn=liuxg,ou=users,dc=example,dc=com"
  - "cn=xgliu,ou=users,dc=example,dc=com"
  - "employeeNumber=1,ou=users,dc=example,dc=com"

As shown above, superuser is a role already defined in Elasticsearch. This role can be preset, and itcan also be defined by ourselves. If you don’t know how to define roles yet, please refer to our global document atDefining roles | Elasticsearch Guide [8.5] | Elastic.

  - "cn=liuxg,ou=users,dc=example,dc=com"
  - "cn=xgliu,ou=users,dc=example,dc=com"
  - "employeeNumber=1,ou=users,dc=example,dc=com"

The users represented by these DNs are superuser users.We next restart Elasticsearch and log in to the Kibana interface:

%title插图%num

%title插图%num

Obviously, we can use liuxg:123456 to log in successfully.We can also use the following command to check:

curl -k -u xgliu:123456 https://localhost:9200
$ curl -k -u xgliu:123456 https://localhostgcodet:9200
{
  "name" : "liuxgm.local",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "zWDMrYU2RJm9RugZCZGhsQ",
  "version" : {
    "number" : "8.3.3",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "801fed82df74dbe537f89b71b098ccaff88d2c56",
    "build_date" : "2022-07-23T19:30:09.227964828Z",
    "build_snapshot" : false,
    "lucene_version" : "9.2.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

The xgliu account can also successfully access Elasticsearch.

Next, we show how to map the accounts in groups so that they also have the role of superuser. Of course, we can also make them map to any roles we want. However,the premise is that these roles must be preset or created by yourself. Inthe following, two methods are used to show the role mapping.

Kibana interface

%title插图%num

%title插图%num

%title插图%num

In the above, we fill in the following values ​​in Value:

cn=user*,ou=groups,dc=example,dc=com

where wildcard is used to match user1 and user2. They are used in the groups.Click Save role mappingbutton:

%title插图%num

We can enter the following command in the console:

GET  /_security/role_mapping/

The above command returns the result:

{
  "users": {
    "enabled": true,
    "roles": [
      "superuser"
    ],
    "rules": {
      "all": [
        {
          "field": {
            "groups": "cn=user*,ou=groups,dc=example,dc=com"
          }
        }
      ]
    },
    "metadata": {}
  }
}

It shows that all users whose DN matches cn=user*,ou=groups,dc=example,dc=com will have the role of superuser. We next use jim:123456 to log in:

%title插图%num

%title插图%num

The above screen showsour login was successful.Of course, another user sue:123456 in this group can also log in successfully.

In order to demonstrate the use of the following API, we first delete the users role mapping we just created:

%title插图%num

%title插图%num

In this way, we don’t have any role mapping, and of course neither jim nor sue can log in. If we log in with jim’s account, we can see the following screen:

%title插图%num

Use the API

We use the following API to implement role mapping:

PUT /_security/role_mapping/admins
{
  "roles" : [ "superuser" ],
  "rules" : { "field" : {
    "groups" : "cn=user*,ou=groups,dc=example,dc=com" 
  } },
  "enabled": true
}

We can use the following command to view:

GET  /_security/role_mapping/

The above command generates:

{
  "admins": {
    "enabled": true,
    "roles": [
      "superuser"
    ],
    "rules": {
      "field": {
        "groups": "cn=user*,ou=groups,dc=example,dc=com"
      }
    },
    "metadata": {}
  }
}

It generates a role mapping called admins.We can go back to the previous role mapping interface:

%title插图%num

Anew role mapping for admins has been created. We can use a user defined in the group to log in. We tryjim:123456in the following:

%title插图%num

%title插图%num

As shown above, the login is successful again!

Refereneces:

文章来源于互联网:Using LDAP to authenticate users

相关推荐: Elasticsearch:在 Java 客户端中使用 truststore 来创建 HTTPS 连接

在我之前的文章 “Elasticsearch:使用 Elasticsearch Java client 8.0 来连接带有 HTTPS 的集群” 里,我使用了两种方法,一直是使用 token 的方式,另外一种是使用 PEM 证书来进行连接的。在实际的使用中,有…

Tags: , , , ,