search

Graylog2 / graylog-plugin-auth-sso

SSO support for Graylog through trusted HTTP headers set by load balancers or authentication proxies
Other
50 stars 13 forks source link

Added support to synchronize Ldap users when signin-in using the SSO plugin #33

Closed gaspardpetit closed 6 years ago

gaspardpetit commented 7 years ago

This change requires graylog2-server 2.4 because of the following update: https://github.com/Graylog2/graylog2-server/commit/1e69090e305d22b4355266307b13f96f0397d754

The objective of this change is to synchronize users with Ldap when signin-in or creating a user when Ldap is enabled. This makes it possible to store user information in Ldap (email, name, roles) and use SSO only for authentication.

This change should be integrated in a 2.4-snapshot branch and be merged only once graylog 2.4 is available.

githubkatten commented 7 years ago

Nice work! Will this work as this?

  1. A user is directed from a load balancer(F5) with a Kerberos ticket to Graylog. Only username(no password) is propagated.
  2. SSO plugin recognizes this user by looking it up in Graylog LDAP(AD)?
  3. According to the users membership in certain AD Groups, the user is tied to the Role stated in Graylog LDAP settings. BR Andreas
gaspardpetit commented 7 years ago

That's exactly how it works. Basically SSO for authentication, then LDAP for authorization.

This patch will start compiling/working once Graylog 2.4 is released. In the mean time, I also have a local patch that does the same thing on 2.3 but is utterly ugly: it duplicates the Ldap code inside the SSO plugin. If this is needed by others I will submit it online in my own branch.

githubkatten commented 7 years ago

Hi! Great news! Thanks for the offer to make your patch available, but at our organization we will wait until 2.4 is released.

ahus1 commented 6 years ago

Hello @gaspardpetit - Graylog 2.4 has been released. Can you re-run the build and/or update the patch?

I'm looking forward this to be released.

Thanks!

gaspardpetit commented 6 years ago

Beware that graylog teams plans on moving to a different direction with https://github.com/Graylog2/graylog2-server/issues/3968 - I am guessing plugins will have to provide a different methods to authorization and authentication at some point. I think this separation is a better solution than the one I am providing, but it will take some time to put in place. Until then, this patch will be useful I think.

kroepke commented 6 years ago

I'll review this shortly, sorry for the delay

kroepke commented 6 years ago

Many thanks for your contribution!

Please note that the referenced issue will likely not be part of Graylog 3.0, so I expect this approach to work for quite a while.

kroepke commented 6 years ago

The binary release might take until tomorrow because of setup issues, I'll update here once done.

kroepke commented 6 years ago

Actually the release is already on https://github.com/Graylog2/graylog-plugin-auth-sso/releases/tag/2.4.1

Thanks again!

gaspardpetit commented 6 years ago

Much obliged and happy I could give some love back to this project. Cheers.

kroepke commented 6 years ago

@gaspardpetit FWIW we've discovered a build issue with changed vendor dependencies, which causes the SSO plugin 2.4.1 to fail with the server 2.4.0 version. We are investigating what happened, but will likely release server 2.4.1 in the next coming days. If you build everything yourself, all the latest 2.4 branches should be compatible. Or you can wait for our official 2.4.1 release.