Jumpcloud with SSL

Hi,

I am using JumpCloud with SSL as my ldap service.

I can use ldapsearch command to get the result when I use this to query JumpCloud

My problem is when I browse to kibana:5601 or elasticsearch:9200, i got this error
[WARN ][c.a.o.s.a.BackendRegistry] [ip-10-31-7-176] Authentication finally failed for username from elasticsearch:58584

config:
      dynamic:
        # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
        # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
        # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
        #filtered_alias_mode: warn
        #do_not_fail_on_forbidden: false
        #kibana:
        # Kibana multitenancy
        #multitenancy_enabled: true
        #server_username: kibanaserver
        #index: '.kibana'
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
            #internalProxies: '.*' # trust all internal proxies, regex pattern
            #remoteIpHeader:  'x-forwarded-for'
            ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
            ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
            ###### and here https://tools.ietf.org/html/rfc7239
            ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
        authc:
          kerberos_auth_domain:
            http_enabled: false
            transport_enabled: false
            order: 6
            http_authenticator:
              type: kerberos
              challenge: true
              config:
                # If true a lot of kerberos/security related debugging output will be logged to standard out
                krb_debug: false
                # If true then the realm will be stripped from the user name
                strip_realm_from_principal: true
            authentication_backend:
              type: noop
          basic_internal_auth_domain:
            description: "Authenticate via HTTP Basic against internal users database"
            http_enabled: true
            transport_enabled: false
            order: 0
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          proxy_auth_domain:
            description: "Authenticate via proxy"
            http_enabled: false
            transport_enabled: false
            order: 3
            http_authenticator:
              type: proxy
              challenge: false
              config:
                user_header: "x-proxy-user"
                roles_header: "x-proxy-roles"
            authentication_backend:
              type: noop
          jwt_auth_domain:
            description: "Authenticate via Json Web Token"
            http_enabled: false
            transport_enabled: false
            order: 5
            http_authenticator:
              type: jwt
              challenge: false
              config:
                signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
                jwt_header: "Authorization"
                jwt_url_parameter: null
                roles_key: null
                subject_key: null
            authentication_backend:
              type: noop
          clientcert_auth_domain:
            description: "Authenticate via SSL client certificates"
            http_enabled: false
            transport_enabled: false
            order: 2
            http_authenticator:
              type: clientcert
              config:
                username_attribute: cn #optional, if omitted DN becomes username
              challenge: false
            authentication_backend:
              type: noop
          ldap:
            description: "Authenticate via LDAP or Active Directory"
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
              type: ldap
              config:
                # enable ldaps
                enable_ssl: true
                # enable start tls, enable_ssl should be false
                enable_start_tls: false
                # send client certificate
                enable_ssl_client_auth: false
                # verify ldap hostname
                verify_hostnames: true
                hosts:
                - ldap.jumpcloud.com:636
                bind_dn: uid=opendistro,ou=Users,o=randomtext,dc=jumpcloud,dc=com
                password: secret
                userbase: ou=Users,o=randomtext,dc=jumpcloud,dc=com
                # Filter to search for users (currently in the whole subtree beneath userbase)
                # {0} is substituted with the username
                usersearch: '(sAMAccountName={0})'
                # Use this attribute from the user as username (if not set then DN is used)
                username_attribute: cn
                pemtrustedcas_filepath: "/etc/elasticsearch/jumpcloud.chain.pem"
        authz:
          roles_from_myldap:
            description: "Authorize via LDAP or Active Directory"
            http_enabled: true
            transport_enabled: true
            authorization_backend:
              # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
              type: ldap
              config:
                # enable ldaps
                enable_ssl: true
                # enable start tls, enable_ssl should be false
                enable_start_tls: false
                # send client certificate
                enable_ssl_client_auth: false
                # verify ldap hostname
                verify_hostnames: true
                hosts:
                - ldap.jumpcloud.com:636
                bind_dn: uid=opendistro,ou=Users,o=randomtext,dc=jumpcloud,dc=com
                password: secret
                rolebase: 'ou=Users,o=randomtext,dc=jumpcloud,dc=com'
                # Filter to search for roles (currently in the whole subtree beneath rolebase)
                # {0} is substituted with the DN of the user
                # {1} is substituted with the username
                # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
                rolesearch: '(member={0})'
                # Specify the name of the attribute which value should be substituted with {2} above
                userroleattribute: null
                # Roles as an attribute of the user entry
    #            userrolename: disabled
                userrolename: "memberOf"
                # The attribute in a role entry containing the name of that role, Default is "name".
                # Can also be "dn" to use the full DN as rolename.
                rolename: cn
                # Resolve nested roles transitive (roles which are members of other roles and so on ...)
                resolve_nested_roles: true
                userbase: ou=Users,o=randomtext,dc=jumpcloud,dc=com
                # Filter to search for users (currently in the whole subtree beneath userbase)
                # {0} is substituted with the username
                usersearch: '(cn={0})'
                # Skip users matching a user name, a wildcard or a regex pattern
                skip_users:
                #  - 'cn=Michael Jackson,ou*people,o=TEST'
                #  - '/\S*/'
                - kibanaserver
                pemtrustedcas_filepath: "/etc/elasticsearch/jumpcloud.chain.pem"
          roles_from_another_ldap:
            description: "Authorize via another Active Directory"
            http_enabled: false
            transport_enabled: false
            authorization_backend:
              type: ldap
              #config goes here ...
      #    auth_failure_listeners:
      #      ip_rate_limiting:
      #        type: ip
      #        allowed_tries: 10
      #        time_window_seconds: 3600
      #        block_expiry_seconds: 600
      #        max_blocked_clients: 100000
      #        max_tracked_clients: 100000
      #      internal_authentication_backend_limiting:
      #        type: username
      #        authentication_backend: intern
      #        allowed_tries: 10
      #        time_window_seconds: 3600
      #        block_expiry_seconds: 600
      #        max_blocked_clients: 100000
      #        max_tracked_clients: 100000

Please enlighten me.

Hi,

I have figured out the issue. Hope this will help someone in the future who using Jumpcloud for this.

Following is the config I am using. Please ignore authz section due to I am not using it for now.

config:
      dynamic:
        # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
        # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
        # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
        #filtered_alias_mode: warn
        #do_not_fail_on_forbidden: false
        #kibana:
        # Kibana multitenancy
        #multitenancy_enabled: true
        #server_username: kibanaserver
        #index: '.kibana'
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
            #internalProxies: '.*' # trust all internal proxies, regex pattern
            #remoteIpHeader:  'x-forwarded-for'
            ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
            ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
            ###### and here https://tools.ietf.org/html/rfc7239
            ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
        authc:
          kerberos_auth_domain:
            http_enabled: false
            transport_enabled: false
            order: 6
            http_authenticator:
              type: kerberos
              challenge: true
              config:
                # If true a lot of kerberos/security related debugging output will be logged to standard out
                krb_debug: false
                # If true then the realm will be stripped from the user name
                strip_realm_from_principal: true
            authentication_backend:
              type: noop
          basic_internal_auth_domain:
            description: "Authenticate via HTTP Basic against internal users database"
            http_enabled: true
            transport_enabled: true
            order: 4
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          proxy_auth_domain:
            description: "Authenticate via proxy"
            http_enabled: false
            transport_enabled: false
            order: 3
            http_authenticator:
              type: proxy
              challenge: false
              config:
                user_header: "x-proxy-user"
                roles_header: "x-proxy-roles"
            authentication_backend:
              type: noop
          jwt_auth_domain:
            description: "Authenticate via Json Web Token"
            http_enabled: false
            transport_enabled: false
            order: 0
            http_authenticator:
              type: jwt
              challenge: false
              config:
                signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
                jwt_header: "Authorization"
                jwt_url_parameter: null
                roles_key: null
                subject_key: null
            authentication_backend:
              type: noop
          clientcert_auth_domain:
            description: "Authenticate via SSL client certificates"
            http_enabled: false
            transport_enabled: false
            order: 2
            http_authenticator:
              type: clientcert
              config:
                username_attribute: cn #optional, if omitted DN becomes username
              challenge: false
            authentication_backend:
              type: noop
          ldap:
            description: "Authenticate via LDAP or Active Directory"
            http_enabled: true
            transport_enabled: true
            order: 5
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
              type: ldap
              config:
                # enable ldaps
                enable_ssl: true
                # enable start tls, enable_ssl should be false
                enable_start_tls: false
                # send client certificate
                enable_ssl_client_auth: false
                # verify ldap hostname
                verify_hostnames: true
                hosts:
                - ldap.jumpcloud.com:636
                bind_dn: uid=opendistro,ou=Users,o=randomtext,dc=jumpcloud,dc=com
                password: secret
                userbase: 'ou=Users,o=randomtext,dc=jumpcloud,dc=com'
                # Filter to search for users (currently in the whole subtree beneath userbase)
                # {0} is substituted with the username
                usersearch: '(uid={0})'
                # Use this attribute from the user as username (if not set then DN is used)
                username_attribute: uid
                pemtrustedcas_filepath: "/etc/elasticsearch/jumpcloud.chain.pem"
        authz:
              roles_from_myldap:
                description: "Authorize via LDAP or Active Directory"
                http_enabled: true
                transport_enabled: true
                authorization_backend:
                  # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
                  type: ldap
                  config:
                    # enable ldaps
                    enable_ssl: true
                    # enable start tls, enable_ssl should be false
                    enable_start_tls: false
                    # send client certificate
                    enable_ssl_client_auth: false
                    # verify ldap hostname
                    verify_hostnames: true
                    hosts:
                    - ldap.jumpcloud.com:636
                    bind_dn: uid=opendistro,ou=Users,o=randomtext,dc=jumpcloud,dc=com
                    password: secret
                    rolebase: 'ou=Users,o=randomtext,dc=jumpcloud,dc=com'
                    # Filter to search for roles (currently in the whole subtree beneath rolebase)
                    # {0} is substituted with the DN of the user
                    # {1} is substituted with the username
                    # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
                    rolesearch: '(member={0})'
                    # Specify the name of the attribute which value should be substituted with {2} above
                    userroleattribute: null
                    # Roles as an attribute of the user entry
        #            userrolename: disabled
                    userrolename: "memberOf"
                    # The attribute in a role entry containing the name of that role, Default is "name".
                    # Can also be "dn" to use the full DN as rolename.
                    rolename: cn
                    # Resolve nested roles transitive (roles which are members of other roles and so on ...)
                    resolve_nested_roles: true
                    userbase: ou=Users,o=randomtext,dc=jumpcloud,dc=com
                    # Filter to search for users (currently in the whole subtree beneath userbase)
                    # {0} is substituted with the username
                    usersearch: '(cn={0})'
                    # Skip users matching a user name, a wildcard or a regex pattern
                    skip_users:
                    #  - 'cn=Michael Jackson,ou*people,o=TEST'
                    #  - '/\S*/'
                    - 'kibanaserver'
                    pemtrustedcas_filepath: "/etc/elasticsearch/jumpcloud.chain.pem"
              roles_from_another_ldap:
                description: "Authorize via another Active Directory"
                http_enabled: false
                transport_enabled: false
                authorization_backend:
                  type: ldap
                  #config goes here ...
          #    auth_failure_listeners:
          #      ip_rate_limiting:
          #        type: ip
          #        allowed_tries: 10
          #        time_window_seconds: 3600
          #        block_expiry_seconds: 600
          #        max_blocked_clients: 100000
          #        max_tracked_clients: 100000
          #      internal_authentication_backend_limiting:
          #        type: username
          #        authentication_backend: intern
          #        allowed_tries: 10
          #        time_window_seconds: 3600
          #        block_expiry_seconds: 600
          #        max_blocked_clients: 100000
          #        max_tracked_clients: 100000
1 Like