search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.36k stars 614 forks source link

LDAP Auth not working #123

Closed JohnOmernik closed 7 years ago

JohnOmernik commented 7 years ago

LDAP Auth not working

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu,
OS version (client) Ubuntu,
TheHive version / git hash 2.x, hash of the commit
Package Type Binary

Problem Description

I am trying to authentication to an openldap server. In the openldap logs, I see thehive binding, and then performing the search as expected (and returning the full dn) however thehive logs show "user not found"

openldap logs:

58a4cfcf conn=1171520 fd=86 ACCEPT from IP=192.168.0.102:59600 (IP=0.0.0.0:389) 58a4cfcf conn=1171520 op=0 BIND dn="cn=readonly,dc=marathon,dc=mesos" method=128 58a4cfcf conn=1171520 op=0 BIND dn="cn=readonly,dc=marathon,dc=mesos" mech=SIMPLE ssf=0 58a4cfcf conn=1171520 op=0 RESULT tag=97 err=0 text= 58a4cfcf conn=1171520 op=1 SRCH base="dc=marathon,dc=mesos" scope=2 deref=3 filter="(&(objectClass=posixAccount)(cn=myuser))" 58a4cfcf conn=1171520 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 58a4cfcf conn=1171521 fd=87 ACCEPT from IP=192.168.0.102:59602 (IP=0.0.0.0:389) 58a4cfcf conn=1171521 op=0 BIND dn="cn=myuser,ou=users,ou=zetashared,dc=marathon,dc=mesos" method=128 58a4cfcf conn=1171521 op=0 BIND dn="cn=myuser,ou=users,ou=zetashared,dc=marathon,dc=mesos" mech=SIMPLE ssf=0 58a4cfcf conn=1171521 op=0 RESULT tag=97 err=0 text= 58a4cfcf conn=1171521 op=1 UNBIND

thehive logs:

[error] o.e.s.a.LdapAuthSrvFactory$LdapAuthSrv - LDAP authentication failure org.elastic4play.NotFoundError: user myuser not found at org.elastic4play.database.DBGet$$anonfun$apply$3$$anonfun$apply$4.apply(DBGet.scala:39) at org.elastic4play.database.DBGet$$anonfun$apply$3$$anonfun$apply$4.apply(DBGet.scala:39) at scala.Option.fold(Option.scala:158) at org.elastic4play.database.DBGet$$anonfun$apply$3.apply(DBGet.scala:39) at org.elastic4play.database.DBGet$$anonfun$apply$3.apply(DBGet.scala:35) at scala.util.Success$$anonfun$map$1.apply(Try.scala:237) at scala.util.Try$.apply(Try.scala:192) at scala.util.Success.map(Try.scala:237) at scala.concurrent.Future$$anonfun$map$1.apply(Future.scala:237) at scala.concurrent.Future$$anonfun$map$1.apply(Future.scala:237) [info] application - POST /api/login returned 401 org.elastic4play.AuthenticationError: Authentication failure at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$authenticate$1.applyOrElse(MultiAuthSrv.scala:74) at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$authenticate$1.applyOrElse(MultiAuthSrv.scala:74) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345) at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32) at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:91) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91) at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)

JohnOmernik commented 7 years ago

This is my auth section"

auth {

"type" parameter contains authentication provider. It can be multi-valued (useful for migration)

# available auth types are:
# services.LocalAuthSrv : passwords are stored in user entity (in ElasticSearch). No configuration are required.
# ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
# ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
type = [local,ldap]

ad {
    # Domain Windows name using DNS format. This parameter is required.
    #domainFQDN = "mydomain.local"

    # Domain Windows name using short format. This parameter is required.
    #domainName = "MYDOMAIN"

    # Use SSL to connect to domain controller
    #useSSL = true
}

ldap {
    # LDAP server name or address. Port can be specified (host:port). This parameter is required.
    serverName = "openldap-shared.marathon.slave.mesos:389"
    # Use SSL to connect to directory server
    #useSSL = true

    # Account to use to bind on LDAP server. This parameter is required.
    bindDN = "cn=readonly,dc=marathon,dc=mesos"

    # Password of the binding account. This parameter is required.
    bindPW = "apassword"

    # Base DN to search users. This parameter is required.
    baseDN = "dc=marathon,dc=mesos"

    # Filter to search user {0} is replaced by user name. This parameter is required.
    #filter = "(cn={0})"
    #APPGROUP=hive_bhive_users
    filter = "(&(objectClass=posixAccount)(cn={0}))"
}

}

To-om commented 7 years ago

Hi,

Did you create an user "myuser" in TheHive (menu "Admin" -> "Users) ? LDAP manages only authentication. An user can connect to TheHive if authentication succeed and if he is declared in TheHive database. The latter is required to retrieve his role.

JohnOmernik commented 7 years ago

No, I did not. I didn't see that in the docs, I did that and now it works. Thanks!

saadkadhi commented 7 years ago

@JohnOmernik That's a good point. We are going to update the documentation accordingly.

alguerreiro commented 2 years ago

In this video shows a functional walkthrough of thehive4 with LDAP authentication

https://youtu.be/gJARc5h2KiY