search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.38k stars 943 forks source link

Errors logging in with LDAP when using Role mapping #1841

Open blauter opened 2 years ago

blauter commented 2 years ago

After adding role mapping and group base/filter to my ldap config in docker compose file, authentication no longer works.

    environment:
      - PROVIDERS__LDAP__STRATEGY=LdapStrategy
      - PROVIDERS__LDAP__CONFIG__URL=ldap://ldap-server
      - PROVIDERS__LDAP__CONFIG__BIND_DN=CN=XXX,OU=XXX,OU=XXX,DC=XX,DC=XX,DC=XXX,DC=XXX
      - PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=xxxxxxxxxx
      - PROVIDERS__LDAP__CONFIG__SEARCH_BASE=dc=XX,dc=XX,dc=XXX,dc=XXX
      - PROVIDERS__LDAP__CONFIG__SEARCH_FILTER=(sAMAccountName={{username}})
      - PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail
      - PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true
      - PROVIDERS__LDAP__CONFIG__ROLES_MANAGEMENT__GROUP_ATTRIBUTE=cn
      - PROVIDERS__LDAP__CONFIG__ROLES_MANAGEMENT__GROUPS_MAPPING=[\"XXX_OPENCTI_Admins:Administrator\", \"XXX_OPENCTI_Users:Default\"]
      - PROVIDERS__LDAP__CONFIG__GROUP_SEARCH_BASE=dc=XX,dc=XX,dc=XXX,dc=XXX
      - PROVIDERS__LDAP__CONFIG__GROUP_SEARCH_FILTER=(member={{dn}})
      - PROVIDERS__LOCAL__STRATEGY=LocalStrategy

Here is the error I am seeing which made me think it was something with my PROVIDERSLDAPCONFIG__ROLES_MANAGEMENT__GROUPS_MAPPING environment variable but I am not sure:

/opt/opencti/build/src/config/providers.js:117
    elements.map((r) => {
             ^
TypeError: elements.map is not a function
    at genConfigMapper (/opt/opencti/build/src/config/providers.js:117:14)
    at computeRolesMapping (/opt/opencti/build/src/config/providers.js:167:31)
    at Strategy.verify (/opt/opencti/build/src/config/providers.js:170:34)
    at Strategy.<anonymous> (/opt/opencti/node_modules/passport-ldapauth/lib/passport-ldapauth/strategy.js:316:21)
    at /opt/opencti/node_modules/ldapauth-fork/lib/ldapauth.js:430:18
    at /opt/opencti/node_modules/ldapauth-fork/lib/ldapauth.js:373:5
    at CorkedEmitter.<anonymous> (/opt/opencti/node_modules/ldapauth-fork/lib/ldapauth.js:281:16)
    at CorkedEmitter.emit (node:events:394:28)
    at CorkedEmitter.emit (/opt/opencti/node_modules/ldapjs/lib/corked_emitter.js:44:33)
    at sendResult (/opt/opencti/node_modules/ldapjs/lib/client/client.js:1192:22)
    at messageCallback (/opt/opencti/node_modules/ldapjs/lib/client/client.js:1220:16)
    at Parser.onMessage (/opt/opencti/node_modules/ldapjs/lib/client/client.js:886:14)
    at Parser.emit (node:events:394:28)
    at Parser.write (/opt/opencti/node_modules/ldapjs/lib/messages/parser.js:107:8)
    at end (/opt/opencti/node_modules/ldapjs/lib/messages/parser.js:62:36)
    at Parser.write (/opt/opencti/node_modules/ldapjs/lib/messages/parser.js:108:10)
richard-julien commented 2 years ago

HI @blauter ,

Not sure but according to documentation it should be:

"PROVIDERSLDAPCONFIG__ROLES_MANAGEMENT__GROUPS_MAPPING=[\"XXX_OPENCTI_Admins:Administrator\", \"XXX_OPENCTI_Users:Default\"]"

Env var for list must be wrapped with global double quotes.

blauter commented 2 years ago

Thank you @richard-julien. I am no longer getting the error but still unable to login

I confirmed I see the XXX_OPENCTI_Admins in the response under memberOf. Just to confirm in the role mapping, I should be using CN name of AD group and not DN? In the memberOf attribute, I see it has DN.

Here are the errors I am seeing right after I see the user object returned in the log.

{"category":"APP","error":{"message":"Restricted access, ask your administrator"},"level":"warn","message":"[AUTH] ldapauth","timestamp":"2022-01-29T00:28:39.588Z","version":"5.1.3"}
{"auth":{"email":"userxx","ip":"x.x.xxx.xxx","referer":"http://xxxxx:8080/dashboard"},"category":"AUDIT","level":"error","message":"LOGIN","resource":{"provider":"ldapauth"},"timestamp":"2022-01-29T00:28:39.588Z","version":"5.1.3"}
{"category":"APP","error":{"data":{"category":"technical","http_status":401},"stacktrace":["AuthFailure: Wrong name or password","at error (/opt/opencti/build/src/config/errors.js:8:10)","at AuthenticationFailure (/opt/opencti/build/src/config/errors.js:13:3)","at AuthDirective.token (/opt/opencti/build/src/resolvers/user.js:117:13)","at runMicrotasks (<anonymous>)","at processTicksAndRejections (node:internal/process/task_queues:96:5)"]},"inner_relation_creation":0,"level":"warn","message":"API Call","operation":"LoginFormMutation","operation_query":"mutation LoginFormMutation($input:UserLoginInput!){token(input:$input)}","size":54,"time":58,"timestamp":"2022-01-29T00:28:39.591Z","type":"WRITE_ERROR","version":"5.1.3"}
blauter commented 2 years ago

2022-01-28_20-18-01

Here is line right above.

richard-julien commented 2 years ago

Hi @blauter, in the code I try to get the information in "_groups" attribute. In your screenshot we can see that the _groups list of the user is empty. Im not an LDAP expert so maybe fetching the groups inside this attribute is not always the thing to do. Please ping me on slack channel to discuss the problem.