rutauth authentication with LDAP authorisation

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

rutauth authentication with LDAP authorisation

Stephane Chazelas
Hello,

I've spent the last two days running in circle trying to solve
that and am getting nowhere.

I must be missing obvious though as what I'm trying to do seems
rather common and documented at
http://books.sonatype.com/nexus-book/reference/remote-user.html

Basically, I've got a LDAP database. I want my users to
authenticate with SSL client certificates to Nexus (so the
authentication done with Apache) and nexus know about my users,
their group membership from LDAP.

The apache authentication works OK. mod_proxy_http sets a
X-Proxy-Remote-User header based on the CN from the SSL
certificate before proxying to jetty.

rutauth "httpHeader" capability is set to that.

LDAP is fully configured, I've got some mappings between LDAP
groups and Nexus roles. For intance, the "it-administrators"
group has "Nexus Administration" role.

When I don't use rutauth, LDAP works find. I can authenticate as
a LDAP user and get the permissions corresponding to the groups
he is member of alright.

If I use rutauth, I can see the user authenticate alright in
nexus.log,

Authentication successful for token [org.sonatype.nexus.rutauth.internal.RutAuthAuthenticationToken - stephane (10.10.10.10)].  Returned account [stephane]

I can see sucessful queries to the LDAP server (for
the user and for the groups he's member of), but then I see:

SecurityXmlUserManager - No user role mapping found for user: stephane
(even though that user is member of several LDAP groups some of
which mapped to nexus roles (like it-administrators above).

If I explicitely add a role mapping for that user, then it
works, but he only gets the roles set manually there, not the
ones from LDAP groups.

I must be missing something. Googling did help here.

I tried all sorts of different things like changing the order of
"realms", using "dynamic groups" vs "static groups", disabling
some realms to no avail, the server is in full TRACE mode.

Any help or any pointer to get me in the right direction would
be greatly appreciated.

Thanks,
Stephane


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rutauth authentication with LDAP authorisation

Stephane Chazelas
2014-03-21 15:57:22 +0000, Stephane Chazelas:
[...]
> Basically, I've got a LDAP database. I want my users to
> authenticate with SSL client certificates to Nexus (so the
> authentication done with Apache) and nexus know about my users,
> their group membership from LDAP.
[...]

Sorry, forgot the version:

That's nexus OSS 2.7.2-03.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rutauth authentication with LDAP authorisation

Stephane Chazelas
In reply to this post by Stephane Chazelas
2014-03-21 15:57:22 +0000, Stephane Chazelas:
[...]
> I can see sucessful queries to the LDAP server (for
> the user and for the groups he's member of)
[...]

Though I've noticed that with rutauth enabled the user query is:

(&(&(objectClass=MyUserObjectClass)(myUid=stephane*))(mail=*))

(note the * after stephane above), which is not good as we've got for instance
some "john" and "john.doe" users).

While without rutauth, the query is:

(&(&(objectClass=MyUserObjectClass)(myUid=stephane))(mail=*))

In both cases, the query for group membership is the same though:
(&(objectClass=posixGroup)(&(cn=*)(uniqueMember=uid=stephane,ou=people,dc=mydomain,dc=com)))

Which is correct  and returns the expected list of groups.

(I've not checked what happened though when the "stephane*"
query returns more than one user).

Cheers,
Stephane


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rutauth authentication with LDAP authorisation

Jason Dillon-3
I believe Tamas has looked into this some, and created:


Hopefully Tamas can chime in with more details of investigation here.

Certainly looks like something isn’t quite right with the plugin impl though.

--jason


On March 25, 2014 at 2:48:22 AM, Stephane Chazelas ([hidden email]) wrote:

2014-03-21 15:57:22 +0000, Stephane Chazelas:
[...]
> I can see sucessful queries to the LDAP server (for
> the user and for the groups he's member of)
[...]

Though I've noticed that with rutauth enabled the user query is:

(&(&(objectClass=MyUserObjectClass)(myUid=stephane*))(mail=*))

(note the * after stephane above), which is not good as we've got for instance
some "john" and "john.doe" users).

While without rutauth, the query is:

(&(&(objectClass=MyUserObjectClass)(myUid=stephane))(mail=*))

In both cases, the query for group membership is the same though:
(&(objectClass=posixGroup)(&(cn=*)(uniqueMember=uid=stephane,ou=people,dc=mydomain,dc=com)))

Which is correct and returns the expected list of groups.

(I've not checked what happened though when the "stephane*"
query returns more than one user).

Cheers,
Stephane


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rutauth authentication with LDAP authorisation

Tamás Cservenák
Hi Stephane,
as Jason pointed out, I tried to dig into this, and I see two problems here:

The first is captured in the issue already: RUT request might match multiple different users which is bad.

I had to interrupt the 2nd part investigation, where -- while user infos does comes from relevant Realms -- the authorization process still fails.
Will pick up this part today.


Thanks,
~t~

On Wed, Mar 26, 2014 at 11:57 PM, Jason Dillon <[hidden email]> wrote:
I believe Tamas has looked into this some, and created:


Hopefully Tamas can chime in with more details of investigation here.

Certainly looks like something isn’t quite right with the plugin impl though.

--jason


On March 25, 2014 at 2:48:22 AM, Stephane Chazelas ([hidden email]) wrote:

2014-03-21 15:57:22 +0000, Stephane Chazelas:
[...]
> I can see sucessful queries to the LDAP server (for
> the user and for the groups he's member of)
[...]

Though I've noticed that with rutauth enabled the user query is:

(&(&(objectClass=MyUserObjectClass)(myUid=stephane*))(mail=*))

(note the * after stephane above), which is not good as we've got for instance
some "john" and "john.doe" users).

While without rutauth, the query is:

(&(&(objectClass=MyUserObjectClass)(myUid=stephane))(mail=*))

In both cases, the query for group membership is the same though:
(&(objectClass=posixGroup)(&(cn=*)(uniqueMember=uid=stephane,ou=people,dc=mydomain,dc=com)))

Which is correct and returns the expected list of groups.

(I've not checked what happened though when the "stephane*"
query returns more than one user).

Cheers,
Stephane


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: rutauth authentication with LDAP authorisation

Tamás Cservenák
It seems all the problems are sorted out. But this also means that currently released RUT (2.7.2) will not work for authz if you intend to use LDAP as authz source...

Changes are here

HTH,
~t~


On Thu, Mar 27, 2014 at 10:03 AM, Tamás Cservenák <[hidden email]> wrote:
Hi Stephane,
as Jason pointed out, I tried to dig into this, and I see two problems here:

The first is captured in the issue already: RUT request might match multiple different users which is bad.

I had to interrupt the 2nd part investigation, where -- while user infos does comes from relevant Realms -- the authorization process still fails.
Will pick up this part today.


Thanks,
~t~


On Wed, Mar 26, 2014 at 11:57 PM, Jason Dillon <[hidden email]> wrote:
I believe Tamas has looked into this some, and created:


Hopefully Tamas can chime in with more details of investigation here.

Certainly looks like something isn’t quite right with the plugin impl though.

--jason


On March 25, 2014 at 2:48:22 AM, Stephane Chazelas ([hidden email]) wrote:

2014-03-21 15:57:22 +0000, Stephane Chazelas:
[...]
> I can see sucessful queries to the LDAP server (for
> the user and for the groups he's member of)
[...]

Though I've noticed that with rutauth enabled the user query is:

(&(&(objectClass=MyUserObjectClass)(myUid=stephane*))(mail=*))

(note the * after stephane above), which is not good as we've got for instance
some "john" and "john.doe" users).

While without rutauth, the query is:

(&(&(objectClass=MyUserObjectClass)(myUid=stephane))(mail=*))

In both cases, the query for group membership is the same though:
(&(objectClass=posixGroup)(&(cn=*)(uniqueMember=uid=stephane,ou=people,dc=mydomain,dc=com)))

Which is correct and returns the expected list of groups.

(I've not checked what happened though when the "stephane*"
query returns more than one user).

Cheers,
Stephane


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: Re: rutauth authentication with LDAP authorisation

Stephane Chazelas
2014-03-27 17:15:55 +0100, Tamás Cservenák:
> It seems all the problems are sorted out. But this also means that
> currently released RUT (2.7.2) will not work for authz if you intend to use
> LDAP as authz source...
>
> Changes are here
> https://github.com/sonatype/nexus-oss/pull/426
[...]

Thanks Tamás,

I eventually managed to give it a try after coming back from
holidays. I updated to 2.8.0-05 which seems to include the fix.

However, I still can't make the authz part work. This time, I
see no LDAP query at all.

From the logs I see things like:

2014-04-28 12:17:15 DEBUG [qtp1575842015-47] *UNKNOWN org.sonatype.nexus.security.filter.authc.NexusAuthenticationFilter - Token 'org.sonatype.nexus.rutauth.internal.RutAuthAuthenticationToken - stephane (10.10.10.4)' created by RutAuthAuthenticationTokenFactory(creates authentication tokens if any of HTTP headers is present: [X-Proxy-Remote-User])
[...]
2014-04-28 12:17:15 TRACE [qtp1575842015-47] *UNKNOWN org.sonatype.security.authentication.FirstSuccessfulModularRealmAuthenticator - Iterating through [4] realms for PAM authentication
[...]
2014-04-28 12:17:15 DEBUG [qtp1575842015-47] *UNKNOWN org.sonatype.nexus.rutauth.internal.RutAuthRealm - No found principals for RUT user 'stephane'


That user works OK with  LDAP authentication, but as soon as I send the X-Proxy-Remote-User header, it doesn't work.

Is there anything that I should be doing beside enabling rutauth, and set the capability? (BTW, I noticed the capabilities have moved from conf/capabilities.xml to some obscure format in a H2 database).

security.xml has:

<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
  <version>2.0.7</version>
  <anonymousUsername>anonymous</anonymousUsername>
  <anonymousPassword>***</anonymousPassword>
  <realms>
    <realm>NexusLdapAuthenticationRealm</realm>
    <realm>rutauth-realm</realm>
    <realm>XmlAuthorizingRealm</realm>
    <realm>XmlAuthenticatingRealm</realm>
  </realms>
  <hashIterations>1024</hashIterations>
</security-configuration>

The capabilities.xml file generated by the support tool has:

    <capability>
      <version>1</version>
      <id>425fc25b16732115</id>
      <typeId>rutauth</typeId>
      <properties>
        <property>
          <key>httpHeader</key>
          <value>X-Proxy-Remote-User</value>
        </property>
      </properties>
    </capability>

A role mapping for a LDAP group "stephane" is member of:

  <roles>
    <role>
      <id>it-administrators</id>
      <name>it-administrators</name>
      <description>External mapping for it-administrators (LDAP)</description>
      <roles>
        <role>nx-admin</role>
      </roles>
    </role>
  </roles>


Any help would be greatly appreciated.

Cheers,
Stephane

[...]

> On Thu, Mar 27, 2014 at 10:03 AM, Tamás Cservenák <[hidden email]>wrote:
>
> > Hi Stephane,
> > as Jason pointed out, I tried to dig into this, and I see two problems
> > here:
> >
> > The first is captured in the issue already: RUT request might match
> > multiple different users which is bad.
> > https://issues.sonatype.org/browse/NEXUS-6356
> >
> > I had to interrupt the 2nd part investigation, where -- while user infos
> > does comes from relevant Realms -- the authorization process still fails.
> > Will pick up this part today.
> >
> >
> > Thanks,
> > ~t~
> >
> >
> > On Wed, Mar 26, 2014 at 11:57 PM, Jason Dillon <[hidden email]>wrote:
> >
> >> I believe Tamas has looked into this some, and created:
> >>
> >> https://issues.sonatype.org/browse/NEXUS-6356
> >>
> >> Hopefully Tamas can chime in with more details of investigation here.
> >>
> >> Certainly looks like something isn’t quite right with the plugin impl
> >> though.
> >>
> >> --jason
> >>
> >>
> >> On March 25, 2014 at 2:48:22 AM, Stephane Chazelas (
> >> [hidden email]) wrote:
> >>
> >> 2014-03-21 15:57:22 +0000, Stephane Chazelas:
> >> [...]
> >> > I can see sucessful queries to the LDAP server (for
> >> > the user and for the groups he's member of)
> >> [...]
> >>
> >> Though I've noticed that with rutauth enabled the user query is:
> >>
> >> (&(&(objectClass=MyUserObjectClass)(myUid=stephane*))(mail=*))
> >>
> >> (note the * after stephane above), which is not good as we've got for
> >> instance
> >> some "john" and "john.doe" users).
> >>
> >> While without rutauth, the query is:
> >>
> >> (&(&(objectClass=MyUserObjectClass)(myUid=stephane))(mail=*))
> >>
> >> In both cases, the query for group membership is the same though:
> >> (&(objectClass=posixGroup)(&(cn=*)(uniqueMember=uid=stephane,ou=people,dc=mydomain,dc=com)))
> >>
> >>
> >> Which is correct and returns the expected list of groups.
> >>
> >> (I've not checked what happened though when the "stephane*"
> >> query returns more than one user).
> >>
> >> Cheers,
> >> Stephane


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]