Loading...

Debug Active Directory security within Elasticsearch Shield

Shield offers the capability to allow authentication with LDAP or the Windows Active Directory. This post explains a simple method to analyse the authentication process.

There are several files involved:

  • elasticsearch.yml
  • shield/roles.yml
  • shield/role_mapping.yml

The elasticsearch.yml holds the active directory configuration, for instance:

shield:
  enabled: true
  authc:
    realms:
      file:
        type: file
        order: 0
      native:
        type: native
        order: 1
      active_directory:
        type: active_directory
        order: 2
        domain_name: ldap.cinhtau.net
        url: ldaps://ldap.cinhtau.net:636
        unmapped_groups_as_roles: false
        group_search.base_dn: "OU=Security,DC=cinhtau,DC=net"
  ssl:
        keystore:
	  path: /home/tan/omega.jks
	  password: 8eAx89lJ7
	truststore:
	  path: /home/tan/trust.jks
	  password: 7k-LDPsbZs8d

If you don’t use mutual SSL, the URL should result to ldap://ldap.cinhtau.net:389. Replace ldap.cinhtau.net with your ldap hostname. Pay attention, that I use a three level security model, usually it is not necessary to set the order to zero. The roles.yml should contain your permissions for all indices and kibana 4. See below the role devops which is sufficient as kibana 4 user.

devops:
  cluster:
      - monitor
  indices:
    - names: '*'
      privileges:
        - view_index_metadata
        - read
    - names: '.kibana*'
      privileges:
        - manage
        - read
        - index

The role_mapping.yml should contain the group or user cn, mapped to role devops.

# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names
#roleA:   this is an elasticsearch role
#  - groupA-DN  this is a group distinguished name
#  - groupB-DN
#  - user1-DN   this is the full user distinguished name
power_user:
  - "CN=vinh,OU=Development,DC=cinhtau,DC=net"
devops:
  - "CN=ApplicationEngineering,OU=Zuerich,OU=File Systems,OU=Security,OU=Control Groups,DC=cinhtau,DC=net"

Add the logger to the logging.yml in the logging section:

shield.authc.activedirectory: TRACE

Doing auth you will similar log messages

[2016-08-12 09:11:46,530][DEBUG][shield.authc.activedirectory] [zh2-lb] user not found in cache, proceeding with normal authentication
[2016-08-12 09:11:46,573][DEBUG][shield.authc.activedirectory] [zh2-lb] found these groups [[CN=..]
[2016-08-12 09:11:46,577][DEBUG][shield.authc.activedirectory] [zh2-lb] authenticated user [vinh], with roles [[devops, power_user]]