CMAK
CMAK copied to clipboard
yahoo
LDAP Authentication Filter \ Usage
I am trying to setup LDAP authentication with our AD environment.
` basicAuthentication.enabled=true #basicAuthentication.realm="Kafka-Manager" #basicAuthentication.username="admin" #basicAuthentication.password="password" basicAuthentication.excluded=["/api/health"] # ping the health of your instance without authentification
basicAuthentication.ldap.enabled=true basicAuthentication.ldap.server="ad-server.domain.local" basicAuthentication.ldap.port=389 basicAuthentication.ldap.username="CN=Kafka Service,OU=Kafka,OU=Prod,OU=Service,DC=Domain,DC=local" basicAuthentication.ldap.password="password" basicAuthentication.ldap.search-base-dn="dc=domain,dc=local" basicAuthentication.ldap.connection-pool-size=10 basicAuthentication.ldap.ssl=false `
For the search filter (which I think is where my issue is), I've tried a few different ways:
basicAuthentication.ldap.search-filter="(uid=$capturedLogin$)" basicAuthentication.ldap.search-filter="CN=Kafka Admins,OU=Groups,OU=Prod,OU=Service,DC=Domain,DC=local"
and
basicAuthentication.ldap.search-filter="(&(cn=%u)(memberOf=CN=Kafka Admins,OU=Groups,OU=Prod,OU=Service,DC=Domain,DC=local))"
No matter what I try I end up in a login loop (no error), and do not believe it is querying the account from the group in the search filter properly. I've enabled DEBUG logging and it does not output anything at all.
I also feel like there should be a setting for me to associate the sAMAccountName or userPrinipalName from the users attributes.
Thanks for any help here!
@obtix I have spent enough time on this today and would suggest to run the ldapsearch with the search filter given in the config
ldapsearch -v -H <<basicAuthentication.ldap.server>> -b <<basicAuthentication.ldap.search-base-dn>> -s sub "(<<basicAuthentication.ldap.search-filter>>)"
kafka-manager would be running this same search, if this does not work try to list all the users by removing the search filter from the command you will know what info is being returned from ldap, I had to replace "uid" with "sAMAccountName" i search-filter that way. If you get this working and still going in login loop, Try debug. I had to the following changes to get the debug log
~/work/kafka-manager * git diff Thu Dec 5 22:33:04 2019
diff --git a/app/controllers/BasicAuthenticationFilter.scala b/app/controllers/BasicAuthenticationFilter.scala
index b91ef05..63772d3 100644
--- a/app/controllers/BasicAuthenticationFilter.scala
+++ b/app/controllers/BasicAuthenticationFilter.scala
@@ -17,7 +17,7 @@ import play.api.mvc.Results.Unauthorized
import play.api.mvc.{Cookie, Filter, RequestHeader, Result}
import scala.collection.JavaConverters._
-import scala.util.{Success, Try}
+import scala.util.{Success, Try, Failure}
import grizzled.slf4j.Logging
import javax.crypto.Mac
import play.api.libs.Codecs
@@ -223,6 +223,9 @@ case class LDAPAuthenticator(config: LDAPAuthenticationConfig)(implicit val mat:
val searchRequest = new SearchRequest(baseDN, SearchScope.SUB, filter)
Try(connection.search(searchRequest)) match {
case Success(sr) if sr.getEntryCount > 0 => Some(sr.getSearchEntries.get(0).getDN)
+ case Failure(e) =>
+ logger.debug(e.getMessage)
+ None
case _ => None
}
}
diff --git a/conf/logback.xml b/conf/logback.xml
index e5a5c7d..93d5199 100644
--- a/conf/logback.xml
+++ b/conf/logback.xml
@@ -42,7 +42,7 @@
<logger name="com.gargoylesoftware.htmlunit.javascript" level="OFF" />
<logger name="org.apache.zookeeper" level="INFO"/>
- <root level="WARN">
+ <root level="DEBUG">
<appender-ref ref="ASYNCFILE" />
<appender-ref ref="ASYNCSTDOUT" />
</root>
Hi,
Don't know if it could help but after 1 day of struggle with ldap I'm finaly able to restrict access to a group named kafka-manager in FreeIPA LDAP on CentOS:
basicAuthentication.ldap.enabled=true
basicAuthentication.ldap.server="server.domain.local"
basicAuthentication.ldap.port=389
basicAuthentication.ldap.username="uid=admin,cn=users,cn=compat,dc=domain,dc=local"
basicAuthentication.ldap.password="******"
basicAuthentication.ldap.search-base-dn="dc=domain,dc=local"
basicAuthentication.ldap.search-filter="(&(uid=$capturedLogin$)(memberOf=cn=kafka-manager,cn=groups,cn=accounts,dc=domain,dc=local))"
basicAuthentication.ldap.connection-pool-size=10
basicAuthentication.ldap.ssl=false
For Windows Active Directory, replace uid=$capturedLogin$ by sAMAccountName=$capturedLogin$
@benjph Why not use the group filter for checking the group membership - https://github.com/yahoo/kafka-manager/blob/master/conf/application.conf#L54-L55
-srini
@bseenu I was not able to make it work properly even with the documentation example.
group filter does not work for me. Non member users keep logging in. Using search-filter with "memberOf" clause does the trick, only group members are able to login.
what i have seen is if we use tagged release of 2.0.0.2 it did not work, i think this was tagged like 8 months ago in April, But if you clone from master it works
-srini
yea, makes sense as group filter has been implemented in PR #645. Which is merged to master Oct 16. As @bseenu mentioned, tag 2.0.0.2 is dated Apr.
I'm using v3.0.0.5 and this still doesn't work. it also would be nice if the logs printed out errors for LDAP. Is there a version where group filter works and prints error logs?
Hi,
Don't know if it could help but after 1 day of struggle with ldap I'm finaly able to restrict access to a group named kafka-manager in FreeIPA LDAP on CentOS:
basicAuthentication.ldap.enabled=true basicAuthentication.ldap.server="server.domain.local" basicAuthentication.ldap.port=389 basicAuthentication.ldap.username="uid=admin,cn=users,cn=compat,dc=domain,dc=local" basicAuthentication.ldap.password="******" basicAuthentication.ldap.search-base-dn="dc=domain,dc=local" basicAuthentication.ldap.search-filter="(&(uid=$capturedLogin$)(memberOf=cn=kafka-manager,cn=groups,cn=accounts,dc=domain,dc=local))" basicAuthentication.ldap.connection-pool-size=10 basicAuthentication.ldap.ssl=falseFor Windows Active Directory, replace uid=$capturedLogin$ by sAMAccountName=$capturedLogin$ Thank you! sAMAccountName=$capturedLogin$ worked for me
