This is a plugin for Logstash.

It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.

LDAPresolve filter will add to the event the fields login, user and group based on LDAP request with provided uidNumber information. and add LDAP_OK tag on success, otherwise error tag

• LDAP_ERR: some LDAP connection or schema error
• LDAP_UNK_USER: unknow uidNumber
• LDAP_UNK_GROUP: unknow group

This filter useby default LDAPS but can be configure to use plain LDAP. you can select the protocol you want to use via the use_ssl config setting

As all filters, this filter only processes 1 event at a time, so using this plugin can significantly slow down your pipeline's throughput if you have a high latency network. In order to reduce the slow down a cache mechanism is provided. Cache holds the relevant information for a given uidNumber (full user name, group), and cache entries are tagged with a timestamp of cache introduction Basicaly uidNumber is first searched using the cache on the cache, checked for the timestamp. if cache introduction time is older than persistence time then it is considered as not found and a LDAP request is performed and cache updated for this specific uidNumber.

cache use and cache persistence time are adjustable form the config.

LDAP tree naming and schema may vary. You must specify the DN where to lookcup for user and group information User and group attributes are set to some reasonable values and are overwritable via the config user attributes : 'uid', 'gidNumber', 'givenName', 'sn' group attributes: 'dn'

If uidNumber is not found in LDAP, for user and group are set to default values, eg: Unknown.

assume we have on LDAPS (with no authent) an user John DOE with uidNumber 25377 that pertains to group nobody For example with following envent structure.

 {
     "@version" => "1",
   "@timestamp" => "2015-06-29:00:00.000Z",
   "some_infos" => 'foo bar"
 }

and the following init configuration

LDAPresolve {
    uidNumber => 25377
    host      => "ldaps.pasteur.fr"
    userdn    => "ou=utilisateurs,dc=pasteur,dc=fr"
    groupdn   => "ou=entites,ou=groupes,dc=pasteur,dc=fr"
}

we will get this output

 {
     "@version" => "1",
   "@timestamp" => "2015-06-29:00:00.000Z",
   "some_infos" => 'foo bar"
         "user" => "John DOE"
        "group" => "nobody"
        "login" => "jdoe"
 }

You can use the built-in plugin tool from Logstash to install the filter from https://rubygems.org/gems/logstash-filter-LDAPresolve

$LS_HOME/bin/plugin install logstash-filter-LDAPresolve

Or you can build it yourself:

git clone https://github.com/EricDeveaud/logstash_filter_LDAPresolve
cd logstash_filter_LDAPresolve
bundle install
bundle exec rspec
gem build logstash-filter-LDAPresolve.gemspec
$LS_HOME/bin/plugin install ./logstash-filter-rest-0.1.0.gem

Add the following to the #filter# section of your logstash configuration

LDAPresolve {
    uidNumber  => 7225
    host       => "ldap.somewhere.org"
    userdn     => "ou=users,dc=somewhere,dc=org"
    groupdn    => "ou=groups,dc=somewhere,dc=org"
}

uidNumber can be dynamic and include parts of the event using the %{field} syntax. eg assume we have the uidNumber previously stored in the envent's field 'uid' We can then use

LDAPresolve {
    uidNumber  => "%{uid}"
    host       => "ldap.somewhere.org"
    userdn     => "ou=users,dc=somewhere,dc=org"
    groupdn    => "ou=groups,dc=somewhere,dc=org"
}

if your LDAP server use another port than the (339) default one

    ldap_port  => 1234

if your LDAPS server use another port than the (636) default one

   ldaps_port  => 1234

if you use a login//passord to log to your LDAP server

   username    => "some_loggin"
   passord     => "secretPassword"

if your LDAP use some specific attributes you can specify them for the filtering request

   userattrs   => ['attr1', 'attr2', ..] 
   groupattrs  => ['attr1', 'attr2', ..]

defaut atributes used by LDAPresolve are the following:

   userattrs => ['uid', 'gidNumber', 'givenName', 'sn'] that suits the posix account definitions.
   groupattrs  => ['dn']

LDAPresolve uses a basic cache mechanism by default. This cache mechanism can be disabled using the following configuration options

   usecache    => false

Cache retention is set by default to 300 second. you can change the cache retention duration using the following configuration options

   cache_interval => number_of_seconds 

All contributions are welcome: ideas, patches, documentation, bug reports, complaints, usggestions ...