Skip to content

Commit

Permalink
x-pack/filebeat/input/entityanalytics/provider/internal/activedirecto…
Browse files Browse the repository at this point in the history 
…ry: relax base DN constraint

Apparently the base DN prefixes used in the wild are not restricted to
CN=Users, so remove that check in the query.
  • Loading branch information
@efd6
efd6 committed Jun 28, 2024
1 parent 5caa070 commit 878f9d4
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 6 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,7 @@ https:/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Update CEL mito extensions to v1.13.0 {pull}40035[40035]
- Add Jamf entity analytics provider. {pull}39996[39996]
- Add ability to remove request trace logs from http_endpoint input. {pull}40005[40005]
- Relax constraint on Base DN in entity analytics Active Directory provider. {pull}40054[40054]

*Auditbeat*

Expand Down
8 changes: 2 additions & 6 deletions ...nput/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@ var (
ErrUsers = errors.New("failed to get user details")
)

var cnUsers = &ldap.RelativeDN{Attributes: []*ldap.AttributeTypeAndValue{{Type: "CN", Value: "Users"}}}

// Entry is an Active Directory user entry with associated group membership.
type Entry struct {
ID string `json:"id"`
Expand All @@ -45,10 +43,6 @@ func GetDetails(url, user, pass string, base *ldap.DN, since time.Time, pagingSi
if base == nil || len(base.RDNs) == 0 {
return nil, fmt.Errorf("%w: no path", ErrInvalidDistinguishedName)
}
baseDN := base.String()
if !base.RDNs[0].Equal(cnUsers) {
return nil, fmt.Errorf("%w: %s does not have %s", ErrInvalidDistinguishedName, baseDN, cnUsers)
}

var opts []ldap.DialOpt
if dialer != nil {
Expand Down Expand Up @@ -77,6 +71,8 @@ func GetDetails(url, user, pass string, base *ldap.DN, since time.Time, pagingSi
sinceFmtd = since.Format(denseTimeLayout)
}

baseDN := base.String()

// Get groups in the directory. Get all groups independent of the
// since parameter as they may not have changed for changed users.
var groups directory
Expand Down

0 comments on commit 878f9d4

Please sign in to comment.