Active Directory & LDAP | Security for Elasticsearch
3 likes689 views
This document discusses LDAP and Active Directory authentication with Search Guard. It describes how Search Guard supports authenticating and authorizing users against LDAP directories, including configuration settings for connecting to LDAP servers, searching for users and roles, and handling nested roles. It also provides an overview of LDAP vs. Active Directory and the directory information tree structure.
Active Directory & LDAP | Security for Elasticsearch
- 1. © 2018 floragunn GmbH - All Rights Reserved SEARCH GUARD ACTIVE DIRECTORY & LDAP AUTHENTICATION DOCUMENTS
- 2. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication 01. LDAP vs ACTIVE DIRECTORY LDAP (Lightweight Directory Access Protocol) “an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network” Active Directory “a service that provides LDAP based authentication with Kerberos based authorization.” Both provide a tree-based directory service: “Directory Information Tree” (DIT) “Directory Information Tree” (DIT) Typically stored users and groups, amongst other objects Objects identified by their Distinguished Name (DN)
- 3. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication DIRECTORY INFORMATION TREE
- 4. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication 02. LDAP SUPPORT IN SEARCH GUARD The LDAP backend can be used for Authentication (verify user credentials) Authorization (fetch a users backend roles) For Active Directory and LDAP likewise One or multiple LDAP servers supported For high availability For connecting to multiple directories In Windows environments often combined with Kerberos
- 5. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication LDAP AUTHENTICATION BACKEND ldap: http_enabled: true transport_enabled: true order: 0 http_authenticator: type: basic challenge: false authentication_backend: type: ldap config: enable_ssl: true verify_hostnames: true hosts: - ldap.example.com:636 bind_dn: cn=admin,dc=example,dc=com password: password userbase: 'ou=people,dc=example,dc=com' # Filter to search for users (currently in the whole subtree beneath userbase) # {0} is substituted with the username usersearch: '(sAMAccountName={0})'
- 6. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication 04. CONNECTING SETTINGS Hosts Authentication (verify user credentials) Authorization (fetch a users backend roles) For Active Directory and LDAP likewise One or multiple LDAP servers supported For high availability For connecting to multiple directories In Windows environments often combined with Kerberos
- 7. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication 05. CONNECTING SETTINGS LDAPS and TLS support Hostname verification & DNS lookups Client certificate authentication) Support for separate root CA, if different from Search Guard root CA Bind settings Anonymous bind bind_dn / password
- 8. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication 06. USER AUTHENTICATION Search Guard performs LDAP queries for user authentication userbase Subtree that stores user information, specified by full DN usersearch LDAP query to find the user {0} is a placeholder and substituted with the users name username_attribute attribute of the LDAP entry that contains the username If not specified, the full DN is used
- 9. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication 07. USER AUTHENTICATION LDAP Entry: dn: CN=hr_employee,CN=Users,DC=test,DC=local objectClass: person cn: AD_hr_employee distinguishedName: CN=AD_hr_employee,CN=Users,DC=test,DC=local displayName: AD_hr_employee memberOf: CN=HumanResources_Employees,OU=Groups,DC=test,DC=local name: AD_hr_employee sAMAccountName: hr_employee Configuration: config: hosts: - ldap.example.com:636 bind_dn: cn=admin,dc=test,dc=local password: password userbase: 'CN=Users,DC=test,DC=local' # Filter to search for users (currently in the whole subtree beneath userbase) # {0} is substituted with the username usersearch: '(sAMAccountName={0})'
- 10. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication LDAP AUTHORIZATION BACKEND authorization_backend: type: ldap # NOT FREE FOR COMMERCIAL USE config: … (tls, hostnames and bind_dn as before) … rolebase: 'ou=groups,dc=example,dc=com' # Filter to search for roles (currently in the whole subtree beneath rolebase) # {0} is substituted with the DN of the user # {1} is substituted with the username # {2} is substituted with an attribute from user's directory entry(userroleattribute) # Specify the name of the attribute which value should be substituted with {2} above userroleattribute: null rolesearch: '(uniqueMember={0})' # Roles as an attribute of the user entry userrolename: memberOf # The attribute in a role entry containing the name of that role rolename: cn # Resolve nested roles transitive (roles which are members of other roles on ...) resolve_nested_roles: true
- 11. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication 09. USER AUTHORIZATION Connection settings are identical to authentication Basic principle for fetching roles similar to authentication Configure role subtree Defined LDAP query for retrieving roles Configure the attribute of the LDAP entry that is used as role name Configure support for nested roles Alternative: Roles as direct user attributes Both approaches can be combined
- 12. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication rolesearch LDAP query can contain three placeholders # {0} is substituted with the DN of the user # {1} is substituted with the username # {2} is substituted with an attribute value from the user's directory entry use “userroleattribute” to specify the name of this attribute E.g.: rolesearch: “(uniqueMember={0})” Configure role name attribute E.g.: rolename: “cn” 10. USING THE ROLE SUBTREE
- 13. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication Roles can be stored as user attributes Attributes of the LDAP user entry in the user subtree Search Guard can extract these roles userrolename: “myroleattribute” Attribute values can be: DN pointing to a LDAP role This role must exist in the role subtree Arbitrary, non-DN values These values are returned as-is 11. ATTRIBUTE BASED ROLES
- 14. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication Roles on LDAP can be nested Roles which are members of roles Search Guard can be configured resolve nested roles resolve_nested_roles: <true|false> Depending on the nesting level, can have performance impact One LDAP call for each level 12. NESTED ROLES
- 15. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication Exclude users from role lookups E.g. service users like logstash or Kibana Exclude roles from nested role lookups Performance optimization Only resolve nested roles when necessary Wildcards and regular expressions are supported 13. ADVANCED FEATURES
- 16. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Active Directory & LDAP Authentication 14. RESOURCES Search Guard website https://search-guard.com/ Documentation https://docs.search-guard.com Community Forum https://groups.google.com/d/forum/search-guard GitHub https://github.com/floragunncom
- 17. © 2018 floragunn GmbH - All Rights Reserved WE LOOK FORWARD TO YOUR MESSAGE CONTACT US: info@search-guard.com
- 18. © 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin Registergericht: Amtsgericht Charlottenburg Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV. Search Guard is an independent implementation of a security access layer for Elasticsearch. It is completely independent from Elasticsearch own products.