From 0591b6ae01a3f19defb7395d8f11d7b84af5428f Mon Sep 17 00:00:00 2001 From: coutoPL Date: Thu, 12 Sep 2024 21:45:50 +0200 Subject: [PATCH 1/2] wip --- ror-demo-cluster/conf/es/log4j2.properties | 5 +- ror-demo-cluster/conf/es/readonlyrest.yml | 27 ++++ ror-demo-cluster/conf/ldap/example-com.ldif | 159 ++++++++++++++++++++ ror-demo-cluster/docker-compose.yml | 14 ++ 4 files changed, 204 insertions(+), 1 deletion(-) create mode 100644 ror-demo-cluster/conf/ldap/example-com.ldif diff --git a/ror-demo-cluster/conf/es/log4j2.properties b/ror-demo-cluster/conf/es/log4j2.properties index b85f96d..fe8b597 100644 --- a/ror-demo-cluster/conf/es/log4j2.properties +++ b/ror-demo-cluster/conf/es/log4j2.properties @@ -79,4 +79,7 @@ appender.index_indexing_slowlog_rolling.policies.time.modulate=true logger.index_indexing_slowlog.name=index.indexing.slowlog.index logger.index_indexing_slowlog.level=trace logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref=index_indexing_slowlog_rolling -logger.index_indexing_slowlog.additivity=false \ No newline at end of file +logger.index_indexing_slowlog.additivity=false + +logger.ror_ldap.name=tech.beshu.ror.accesscontrol.blocks.definitions.ldap +logger.ror_ldap.level=debug diff --git a/ror-demo-cluster/conf/es/readonlyrest.yml b/ror-demo-cluster/conf/es/readonlyrest.yml index a445880..5cdbc33 100644 --- a/ror-demo-cluster/conf/es/readonlyrest.yml +++ b/ror-demo-cluster/conf/es/readonlyrest.yml @@ -18,3 +18,30 @@ readonlyrest: verbosity: error auth_key: admin:admin kibana_access: admin + + - name: "TEST" + ldap_authentication: + name: "ldap2" + ldap_authorization: + name: "ldap2" + groups_and: ["*"] + + ldaps: + + - name: ldap2 + host: ldap + port: 389 + ssl_enabled: false # default true + ssl_trust_all_certs: true # default false + bind_dn: "cn=admin,dc=example,dc=com" # skip for anonymous bind + bind_password: "password" # skip for anonymous bind + connection_pool_size: 10 # default 30 + connection_timeout: 10s # default 1 + request_timeout: 10s # default 1 + cache_ttl: 60s # default 0 - cache disabled + search_user_base_DN: "dc=example,dc=com" + search_groups_base_DN: "dc=example,dc=com" + user_id_attribute: "uid" + unique_member_attribute: "uniqueMember" + group_search_filter: "(cn=*)" + group_name_attribute: "cn" \ No newline at end of file diff --git a/ror-demo-cluster/conf/ldap/example-com.ldif b/ror-demo-cluster/conf/ldap/example-com.ldif new file mode 100644 index 0000000..e6bd374 --- /dev/null +++ b/ror-demo-cluster/conf/ldap/example-com.ldif @@ -0,0 +1,159 @@ +################################# +################################# +################################# +# groups and peoples: +# * group1: cartman, chandler +# * group2: morgan, bilbo +# * group3: morgan, cartman, chandler +# * gAll: morgan, cartman, chandler, bilbo +# +# Regionss and gods: +# * europe: jesus +# * north america: jesus +# * south america: jesus +# * asia: allah +# * africa: jesus, allah +# * [no group]: spaghetti +################################ +################################ +################################ +################################ + + +version: 1 + +dn: ou=People,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: People + +dn: cn=Morgan Freeman,ou=People,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: Morgan Freeman +sn: Freeman +uid: morgan +userPassword:: e1NNRDV9cTg2ZHlvbGRRRk5pZ04waVprMDgzYnZrVEY3bFdacFk= + +dn: cn=Eric Cartman,ou=People,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: Eric Cartman +sn: Cartman +uid: cartman +userPassword:: e1NNRDV9czdnM0NVekVCMGQxMm5CM0N3VGFrQmp3K0VGMTE3cFg= + +dn: cn=Chanandler Bong,ou=People,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: Chanandler Bong +sn: Bong +uid: bong +userPassword:: e1NIQX1zOXFuZTB3RXFWVWJoNEhRTVpIK0NZOHlYbWM9 + +dn: cn=Bìlbö Bággįnš,ou=People,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: Bìlbö Bággįnš +sn: Bìlbö Bággįnš +uid: Bìlbö Bággįnš +userPassword:: e1NNRDV9czdnM0NVekVCMGQxMm5CM0N3VGFrQmp3K0VGMTE3cFg= + +dn: cn=Danny DeVito,ou=People,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: Danny DeVito +sn: DeVito +uid: devito +userPassword:: e1NNRDV9czdnM0NVekVCMGQxMm5CM0N3VGFrQmp3K0VGMTE3cFg= + +dn: ou=Groups,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: Groups + +dn: cn=group1,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: group1 +o: Group 1 +uniqueMember: cn=Eric Cartman,ou=People,dc=exammple,dc=com +uniqueMember: cn=Chanandler Bong,ou=People,dc=example,dc=com + +dn: cn=group2 (my),ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: group2 (my) +o: Group 2 +uniqueMember: cn=Morgan Freeman,ou=People,dc=example,dc=com +uniqueMember: cn=Bìlbö Bággįnš,ou=People,dc=example,dc=com + +dn: cn=group3,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: group3 +o: Group 3 +uniqueMember: cn=Chanandler Bong,ou=People,dc=example,dc=com +uniqueMember: cn=Eric Cartman,ou=People,dc=example,dc=com +uniqueMember: cn=Morgan Freeman,ou=People,dc=example,dc=com + +dn: cn=groupAll,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: groupAll +o: Group All +uniqueMember: cn=Chanandler Bong,ou=People,dc=example,dc=com +uniqueMember: cn=Eric Cartman,ou=People,dc=example,dc=com +uniqueMember: cn=Morgan Freeman,ou=People,dc=example,dc=com +uniqueMember: cn=Bìlbö Bággįnš,ou=People,dc=example,dc=com + +dn: ou=Gods,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: Gods + +dn: cn=Jesus Christ,ou=Gods,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: Jesus Christ +sn: Jesus +uid: jesus +userPassword:: e1NNRDV9cTg2ZHlvbGRRRk5pZ04waVprMDgzYnZrVEY3bFdacFk= +title: cn=europe,ou=Regions,dc=example,dc=com +title: cn=north america,ou=Regions,dc=example,dc=com +title: cn=south america,ou=Regions,dc=example,dc=com +title: cn=africa,ou=Regions,dc=example,dc=com + +dn: cn=Allah,ou=Gods,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: Allah +sn: Allah +uid: allah +userPassword:: e1NNRDV9czdnM0NVekVCMGQxMm5CM0N3VGFrQmp3K0VGMTE3cFg= +title: cn=asia,ou=Regions,dc=example,dc=com +title: cn=africa,ou=Regions,dc=example,dc=com + +dn: cn=Spaghetti Monster,ou=Gods,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: Spaghetti Monster +sn: Spaghetti +uid: spaghetti +userPassword:: e1NNRDV9czdnM0NVekVCMGQxMm5CM0N3VGFrQmp3K0VGMTE3cFg= \ No newline at end of file diff --git a/ror-demo-cluster/docker-compose.yml b/ror-demo-cluster/docker-compose.yml index dfaf804..f722ae8 100644 --- a/ror-demo-cluster/docker-compose.yml +++ b/ror-demo-cluster/docker-compose.yml @@ -61,6 +61,20 @@ services: soft: -1 hard: -1 + ldap: + image: osixia/openldap:1.3.0 + command: [--copy-service] + volumes: + - ./conf/ldap/example-com.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/example-com.ldif + ports: + - "389:389" + - "636:636" + environment: + - LDAP_ADMIN_PASSWORD=password + - LDAP_DOMAIN=example.com + networks: + - es-ror-network + networks: es-ror-network: driver: bridge From fdf33dffd7a74f65d0a03e9cb535842db41bcdf8 Mon Sep 17 00:00:00 2001 From: coutoPL Date: Mon, 16 Sep 2024 21:37:13 +0200 Subject: [PATCH 2/2] wip --- ror-demo-cluster/conf/es/readonlyrest.yml | 3 +- ror-demo-cluster/conf/ldap/example-com.ldif | 73 ++------------------- 2 files changed, 7 insertions(+), 69 deletions(-) diff --git a/ror-demo-cluster/conf/es/readonlyrest.yml b/ror-demo-cluster/conf/es/readonlyrest.yml index 5cdbc33..4a1828f 100644 --- a/ror-demo-cluster/conf/es/readonlyrest.yml +++ b/ror-demo-cluster/conf/es/readonlyrest.yml @@ -44,4 +44,5 @@ readonlyrest: user_id_attribute: "uid" unique_member_attribute: "uniqueMember" group_search_filter: "(cn=*)" - group_name_attribute: "cn" \ No newline at end of file + group_name_attribute: "cn" + nested_groups_depth: 3 \ No newline at end of file diff --git a/ror-demo-cluster/conf/ldap/example-com.ldif b/ror-demo-cluster/conf/ldap/example-com.ldif index e6bd374..c18e15f 100644 --- a/ror-demo-cluster/conf/ldap/example-com.ldif +++ b/ror-demo-cluster/conf/ldap/example-com.ldif @@ -1,25 +1,3 @@ -################################# -################################# -################################# -# groups and peoples: -# * group1: cartman, chandler -# * group2: morgan, bilbo -# * group3: morgan, cartman, chandler -# * gAll: morgan, cartman, chandler, bilbo -# -# Regionss and gods: -# * europe: jesus -# * north america: jesus -# * south america: jesus -# * asia: allah -# * africa: jesus, allah -# * [no group]: spaghetti -################################ -################################ -################################ -################################ - - version: 1 dn: ou=People,dc=example,dc=com @@ -82,18 +60,19 @@ objectClass: top objectClass: organizationalUnit ou: Groups -dn: cn=group1,ou=Groups,dc=example,dc=com +dn: cn=group1 (nested),ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames -cn: group1 +cn: group1 (nested) o: Group 1 uniqueMember: cn=Eric Cartman,ou=People,dc=exammple,dc=com uniqueMember: cn=Chanandler Bong,ou=People,dc=example,dc=com +uniqueMember: cn=group3,ou=Groups,dc=example,dc=com -dn: cn=group2 (my),ou=Groups,dc=example,dc=com +dn: cn=AAA-BBB-Cccccc Dddd (Eeeee),ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames -cn: group2 (my) +cn: AAA-BBB-Cccccc Dddd (Eeeee) o: Group 2 uniqueMember: cn=Morgan Freeman,ou=People,dc=example,dc=com uniqueMember: cn=Bìlbö Bággįnš,ou=People,dc=example,dc=com @@ -114,46 +93,4 @@ cn: groupAll o: Group All uniqueMember: cn=Chanandler Bong,ou=People,dc=example,dc=com uniqueMember: cn=Eric Cartman,ou=People,dc=example,dc=com -uniqueMember: cn=Morgan Freeman,ou=People,dc=example,dc=com uniqueMember: cn=Bìlbö Bággįnš,ou=People,dc=example,dc=com - -dn: ou=Gods,dc=example,dc=com -objectClass: top -objectClass: organizationalUnit -ou: Gods - -dn: cn=Jesus Christ,ou=Gods,dc=example,dc=com -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: Jesus Christ -sn: Jesus -uid: jesus -userPassword:: e1NNRDV9cTg2ZHlvbGRRRk5pZ04waVprMDgzYnZrVEY3bFdacFk= -title: cn=europe,ou=Regions,dc=example,dc=com -title: cn=north america,ou=Regions,dc=example,dc=com -title: cn=south america,ou=Regions,dc=example,dc=com -title: cn=africa,ou=Regions,dc=example,dc=com - -dn: cn=Allah,ou=Gods,dc=example,dc=com -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: Allah -sn: Allah -uid: allah -userPassword:: e1NNRDV9czdnM0NVekVCMGQxMm5CM0N3VGFrQmp3K0VGMTE3cFg= -title: cn=asia,ou=Regions,dc=example,dc=com -title: cn=africa,ou=Regions,dc=example,dc=com - -dn: cn=Spaghetti Monster,ou=Gods,dc=example,dc=com -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: Spaghetti Monster -sn: Spaghetti -uid: spaghetti -userPassword:: e1NNRDV9czdnM0NVekVCMGQxMm5CM0N3VGFrQmp3K0VGMTE3cFg= \ No newline at end of file