我在 opendistro 上使用 openldap 和 docker 进行 elasticsearch 时出现此错误:
elasticsearch | [2019-07-31T12:48:42,590][WARN ][c.a.o.s.a.BackendRegistry] [28da1860f0c0] Authentication finally failed for cn=admin,dc=example,dc=com from 192.168.64.1:58682
elasticsearch | [2019-07-31T12:48:43,430][WARN ][c.a.o.s.a.BackendRegistry] [28da1860f0c0] Authentication finally failed for kibanaserver from 192.168.64.2:39506
这是我的docker-compose:
version: '2.2'
services:
example.com:
image: osixia/openldap:1.2.4
container_name: example.com
environment:
#LDAP_ORGANISATION: # Organisation name. Defaults to Example Inc.
LDAP_DOMAIN: example.com #Ldap domain. Defaults to example.org
LDAP_BASE_DN: "" #Ldap base DN. If empty automatically set from LDAP_DOMAIN value. Defaults to (empty)
#LDAP_ADMIN_PASSWORD Ldap Admin password. Defaults to admin
ports:
- "389:389"
- "636:636"
networks:
- esnet
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
environment:
PHPLDAPADMIN_LDAP_HOSTS: "example.org"
PHPLDAPADMIN_HTTPS: "false"
ports:
- "8080:80"
depends_on:
- example.com
networks:
- esnet
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.0.2
container_name: elasticsearch
environment:
- cluster.name=docker-cluster
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
- discovery.type=single-node
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- esdata1:/usr/share/elasticsearch/data
- ./elasticsearch/config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
ports:
- 9200:9200
- 9600:9600
networks:
esnet:
aliases:
- node-0.example.com
kibana:
image: amazon/opendistro-for-elasticsearch-kibana:1.0.2
container_name: kibana
volumes:
- ./kibana/kibana.yml:/usr/share/kibana/config/kibana.yml:ro
ports:
- 5601:5601
expose:
- "5601"
environment:
ELASTICSEARCH_HOSTS: https://elasticsearch:9200
networks:
- esnet
这是我的 config.yml:
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: false
transport_enabled: false
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 5
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- example.com:389
bind_dn: "cn=admin,dc=example,dc=com"
password: "admin"
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
userrolename: disabled
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
我还必须启用 authz,但我可以在使用 ldap 凭据在 elasticsearch 上成功验证自己身份后再执行此操作,我尝试查询此 ldap 用户:
docker exec example.com ldapsearch -x -H ldap://localhost -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -w admin
我得到:
extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example
# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9QnJDbHdTYnRRb3dHazJiQlB6MTF3R29MS3dFVmxmZUk=
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
这是我的 kibana.yml
server.name: kibana
server.host: "0"
elasticsearch.hosts: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
从这里开始,它需要 kibanaserver 用户
有人能提供一些提示吗?我应该使用哪个凭证?谢谢大家,谨致问候
答案1
您有 ldap 服务器吗?ldap 服务器在哪里?在您的本地计算机上吗?
更改身份验证配置文件中主机的参数,其中有此 example.com:389