Назад | Перейти на главную страницу

Как исправить невозможность подключения к ldapserver - наконец-то не удалось выполнить аутентификацию

Я использую openldap на opendistro для elasticsearch с докером, я получаю эту ошибку:

   elasticsearch    | [2019-07-31T12:48:42,590][WARN ][c.a.o.s.a.BackendRegistry] [28da1860f0c0] Authentication finally failed for cn=admin,dc=example,dc=com from 192.168.64.1:58682
elasticsearch    | [2019-07-31T12:48:43,430][WARN ][c.a.o.s.a.BackendRegistry] [28da1860f0c0] Authentication finally failed for kibanaserver from 192.168.64.2:39506

Это мой docker-compose:

version: '2.2'
services:
  example.com:
    image: osixia/openldap:1.2.4
    container_name: example.com
    environment:
      #LDAP_ORGANISATION: # Organisation name. Defaults to Example Inc.
      LDAP_DOMAIN: example.com #Ldap domain. Defaults to example.org
      LDAP_BASE_DN: "" #Ldap base DN. If empty automatically set from LDAP_DOMAIN value. Defaults to (empty)
      #LDAP_ADMIN_PASSWORD Ldap Admin password. Defaults to admin
    ports:
      - "389:389"
      - "636:636"
    networks: 
      - esnet
  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: "example.org"
      PHPLDAPADMIN_HTTPS: "false"
    ports:
      - "8080:80"
    depends_on:
      - example.com
    networks: 
      - esnet
  elasticsearch:
    image: amazon/opendistro-for-elasticsearch:1.0.2
    container_name: elasticsearch
    environment:
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true  # along with the memlock settings below, disables swapping
      - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
      - discovery.type=single-node
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - esdata1:/usr/share/elasticsearch/data
      - ./elasticsearch/config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
    ports:
      - 9200:9200
      - 9600:9600 
    networks:
      esnet:
        aliases:
        - node-0.example.com
  kibana:
    image: amazon/opendistro-for-elasticsearch-kibana:1.0.2
    container_name: kibana
    volumes:
      - ./kibana/kibana.yml:/usr/share/kibana/config/kibana.yml:ro
    ports: 
      - 5601:5601
    expose:
      - "5601"
    environment:
      ELASTICSEARCH_HOSTS: https://elasticsearch:9200
    networks: 
      - esnet

а это мой config.yml:

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern

    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: false
        transport_enabled: false
        order: 4
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 5
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - example.com:389
            bind_dn: "cn=admin,dc=example,dc=com"
            password: "admin"
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: null
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null

            userrolename: disabled

            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'

      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap

Мне также нужно включить authz, но я не буду этого делать после того, как смогу успешно пройти аутентификацию в elasticsearch, используя учетные данные ldap, я попытался запросить этого пользователя ldap:

docker exec example.com ldapsearch -x -H ldap://localhost -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -w admin

и я получаю:

 extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example

# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9QnJDbHdTYnRRb3dHazJiQlB6MTF3R29MS3dFVmxmZUk=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Это мой kibana.yml

  server.name: kibana
    server.host: "0"
    elasticsearch.hosts: https://localhost:9200
    elasticsearch.ssl.verificationMode: none
    elasticsearch.username: kibanaserver
    elasticsearch.password: kibanaserver
    elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
    opendistro_security.multitenancy.enabled: true
    opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]

Отсюда требуется пользователь kibanaserver

У кого-нибудь есть подсказки? Какие учетные данные мне следует использовать? Всем спасибо, с наилучшими пожеланиями

У вас есть ldap сервер? Где на вашем локальном компьютере находится ldap-сервер?

Измените параметры для хоста в файле конфигурации аутентификации, где у вас есть этот example.com:389