Graylog2-server: ldap login not working with graylog-2.0.0-3.beta.2

Created on 13 Apr 2016  路  10Comments  路  Source: Graylog2/graylog2-server

Problem description

I've been successfully using graylog-1.3.4 with LDAP, but when I tried to set it up with this new v2 system, it doesn't work (BTW the standalone accounts work)

Steps to reproduce the problem

  1. We use AD and have a forest with the LDAP groups in the parent and the user accounts in children domains. By using the AD Global Catalog server ports, you can make this work (ie log in with a child account that is a member of a parent group)
  2. I configured the LDAP admin page the same way as the 1.3.4 system _I think_. I also chose the cleartext LDAP port 3268 so I could run tcpdump for diagnostics
  3. doing a login (and viewing in wireshark) shows the following
  4. bind with "system username" succeeds. This does a search for my LDAP username I was trying to login with - and that search returns my LDAP DN plus some attributes such as the groups I am a member of - and I can see the graylog groups the "group search pattern" would match on show up as expected
  5. graylog then appears to iterate through all those groups, returning their cn - which it already knows. I have no idea what value this is doing, as it doesn't return new data
  6. bind with my DN and password. That succeeds. Final packets show graylog initiating the TCP FIN, cleanup occurs. I see no evidence of any query for the group filter... The entire LDAP transaction is over with in <1sec
  7. login form shows "Invalid credentials, please verify them and retry" and the graylog logfile shows the below events

So according to tcpdump, there is no failed login event , but there is also no attempt to run the LDAP group filter (ours is "(&(objectClass=group)(cn=cis-graylog*))"). And logon fails

2016-04-13T03:06:09.774Z WARN [SessionsResource] Unable to log in user [email protected]
org.apache.shiro.authc.AuthenticationException: No account information found for authentication token [org.apache.shiro.authc.UsernamePasswordToken - [email protected], rememberMe=false] by this Authenticator instance. Please check that it is configured correctly.
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:202) ~[graylog.jar:?]
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) ~[graylog.jar:?]
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) ~[graylog.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) ~[graylog.jar:?]
at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:94) [graylog.jar:?]
at sun.reflect.GeneratedMethodAccessor401.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_77]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:1.8.0_77]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:1.8.0_77]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_77]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_77]

Environment

  • Graylog Version: graylog-server-2.0.0-3.beta.2.noarch
  • Elasticsearch Version: elasticsearch-2.3.1-1.noarch
  • MongoDB Version: 2.6.11-1.el7
  • Operating System: CentOS-7/64bit
  • Java: jre1.8.0_77-1.8.0_77-fcs.x86_64
  • Browser version: Firefox/Chrome/everything
P1 S1 bug security triaged
Source
picture dumpwhanau

All 10 comments

Possibly related to this issue, which just got fixed yesterday? https://github.com/Graylog2/graylog2-server/issues/2045

alexdepalex picture alexdepalex on 13 Apr 2016
👍1

Yes, that is very likely related to that issue.

@dumpwhanau I'll close this one, if the problem persists in beta.3 please reopen it. beta.3 will also log the exception that caused the login to fail, something previous versions neglected to do.

kroepke picture kroepke on 13 Apr 2016
👍1

FWIW you can also try the most recent snapshot at http://packages.graylog2.org/_/snapshots?q=2.0.0-beta.3 to check if it's gone.

kroepke picture kroepke on 13 Apr 2016

@kroepke Tried the latest snapshot and it fixed the issue for me.

alexdepalex picture alexdepalex on 13 Apr 2016
👍1

Great! Thanks for the feedback!

kroepke picture kroepke on 13 Apr 2016

Yep - fixed it.

Thanks!

dumpwhanau picture dumpwhanau on 13 Apr 2016

Whoops! Massive security hole!

I can now login with ANY PASSWORD. The logs show the following error, but I end up logged in. I just tried it from a browser I've never used with graylog before (no chance of cookies) and with a password of "xxx" I am logged in. So that beta3 version has a problem

2016-04-13T10:44:13.891Z ERROR [LdapUserAuthenticator] Error during LDAP user account sync. Cannot log in user [email protected]
java.lang.RuntimeException: MessageType : BIND_RESPONSE
Message ID : 66
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1'

dumpwhanau picture dumpwhanau on 13 Apr 2016

I can confirm this :smile:

alexdepalex picture alexdepalex on 13 Apr 2016

Thank you, we will investigate ASAP!

bernd picture bernd on 13 Apr 2016

@dumpwhanau @alexdepalex Thanks again for the report!

This will be fixed in the upcoming 2.0.0-beta.3.

bernd picture bernd on 13 Apr 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bernd picture bernd  路  3Comments
bpbp-boop picture bpbp-boop  路  4Comments
mikkolehtisalo picture mikkolehtisalo  路  4Comments
cflinspach picture cflinspach  路  3Comments
deanilenko picture deanilenko  路  3Comments