Closed JohnOmernik closed 7 years ago
This is my auth section"
auth {
# available auth types are:
# services.LocalAuthSrv : passwords are stored in user entity (in ElasticSearch). No configuration are required.
# ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
# ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
type = [local,ldap]
ad {
# Domain Windows name using DNS format. This parameter is required.
#domainFQDN = "mydomain.local"
# Domain Windows name using short format. This parameter is required.
#domainName = "MYDOMAIN"
# Use SSL to connect to domain controller
#useSSL = true
}
ldap {
# LDAP server name or address. Port can be specified (host:port). This parameter is required.
serverName = "openldap-shared.marathon.slave.mesos:389"
# Use SSL to connect to directory server
#useSSL = true
# Account to use to bind on LDAP server. This parameter is required.
bindDN = "cn=readonly,dc=marathon,dc=mesos"
# Password of the binding account. This parameter is required.
bindPW = "apassword"
# Base DN to search users. This parameter is required.
baseDN = "dc=marathon,dc=mesos"
# Filter to search user {0} is replaced by user name. This parameter is required.
#filter = "(cn={0})"
#APPGROUP=hive_bhive_users
filter = "(&(objectClass=posixAccount)(cn={0}))"
}
}
Hi,
Did you create an user "myuser" in TheHive (menu "Admin" -> "Users) ? LDAP manages only authentication. An user can connect to TheHive if authentication succeed and if he is declared in TheHive database. The latter is required to retrieve his role.
No, I did not. I didn't see that in the docs, I did that and now it works. Thanks!
@JohnOmernik That's a good point. We are going to update the documentation accordingly.
In this video shows a functional walkthrough of thehive4 with LDAP authentication
LDAP Auth not working
Request Type
Bug
Work Environment
Problem Description
I am trying to authentication to an openldap server. In the openldap logs, I see thehive binding, and then performing the search as expected (and returning the full dn) however thehive logs show "user not found"
openldap logs:
58a4cfcf conn=1171520 fd=86 ACCEPT from IP=192.168.0.102:59600 (IP=0.0.0.0:389) 58a4cfcf conn=1171520 op=0 BIND dn="cn=readonly,dc=marathon,dc=mesos" method=128 58a4cfcf conn=1171520 op=0 BIND dn="cn=readonly,dc=marathon,dc=mesos" mech=SIMPLE ssf=0 58a4cfcf conn=1171520 op=0 RESULT tag=97 err=0 text= 58a4cfcf conn=1171520 op=1 SRCH base="dc=marathon,dc=mesos" scope=2 deref=3 filter="(&(objectClass=posixAccount)(cn=myuser))" 58a4cfcf conn=1171520 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 58a4cfcf conn=1171521 fd=87 ACCEPT from IP=192.168.0.102:59602 (IP=0.0.0.0:389) 58a4cfcf conn=1171521 op=0 BIND dn="cn=myuser,ou=users,ou=zetashared,dc=marathon,dc=mesos" method=128 58a4cfcf conn=1171521 op=0 BIND dn="cn=myuser,ou=users,ou=zetashared,dc=marathon,dc=mesos" mech=SIMPLE ssf=0 58a4cfcf conn=1171521 op=0 RESULT tag=97 err=0 text= 58a4cfcf conn=1171521 op=1 UNBIND
thehive logs:
[[31merror[0m] o.e.s.a.LdapAuthSrvFactory$LdapAuthSrv - LDAP authentication failure org.elastic4play.NotFoundError: user myuser not found at org.elastic4play.database.DBGet$$anonfun$apply$3$$anonfun$apply$4.apply(DBGet.scala:39) at org.elastic4play.database.DBGet$$anonfun$apply$3$$anonfun$apply$4.apply(DBGet.scala:39) at scala.Option.fold(Option.scala:158) at org.elastic4play.database.DBGet$$anonfun$apply$3.apply(DBGet.scala:39) at org.elastic4play.database.DBGet$$anonfun$apply$3.apply(DBGet.scala:35) at scala.util.Success$$anonfun$map$1.apply(Try.scala:237) at scala.util.Try$.apply(Try.scala:192) at scala.util.Success.map(Try.scala:237) at scala.concurrent.Future$$anonfun$map$1.apply(Future.scala:237) at scala.concurrent.Future$$anonfun$map$1.apply(Future.scala:237) [[37minfo[0m] application - POST /api/login returned 401 org.elastic4play.AuthenticationError: Authentication failure at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$authenticate$1.applyOrElse(MultiAuthSrv.scala:74) at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$authenticate$1.applyOrElse(MultiAuthSrv.scala:74) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345) at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32) at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:91) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91) at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)