"admin" user login not working after LDAP integration

Hello,

I am running my opendistro on docker container using docker-compose. I have integrated LDAP in the same by configuring config.yml file.

Now the issue is that after LDAP integration, my default admin login is not working anymore even if I have the below lines in my authz section in config.yml

skip_users:
- kibanaserver
- admin

I would like to know whether multiple authentication types are allowed or possible to work in opendistro. Like internal users as well as LDAP.

Please confirm. If this is possible, can you provide the sample config file where it has 2 authentication methods?

Hello @ravis85. Would you mind sharing your config.yml and version of ODFE?

Hi @pablo

I have resolved this issue, now I am able to authenticate using “admin” user as well as my LDAP user.

However there is another issue I am facing, which is the mapping of roles to my LDAP user or group is not working. I am not able to see “Security” tab in Kibana UI when logged in using my LDAP user. Basically I am trying to grant my LDAP user/group the admin access, but its not working for me.

Could you please suggest what I am missing or anything I am doing wrong.

My ODFE version is - 1.13.2

Please see below my config.yml, roles.yml and roles_mapping.yml files

config.yml -

config:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: '.’ # trust all internal proxies, regex pattern
#remoteIpHeader: ‘x-forwarded-for’
###### see Pattern (Java Platform SE 7 ) for regex help
###### more information about XFF X-Forwarded-For - Wikipedia
###### and here RFC 7239: Forwarded HTTP Extension
###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “ldap.ad1.example.com:389
bind_dn: “CN=SRVLDAPUSER,OU=Users,OU=People,OU=IN,DC=ldap,DC=ad1,DC=example,DC=com”
password: "
*****"
userbase: “OU=IN,DC=ldap,DC=ad1,DC=example,DC=com”
usersearch: “(sAMAccountName={0})”
username_attribute: cn
authz:
ldap:
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.ad1.example.com:389
bind_dn: CN=SRVLDAPUSER,OU=Users,OU=People,OU=IN,DC=ldap,DC=ad1,DC=example,DC=com
password: *******
userbase: ‘OU=IN,DC=ldap,DC=ad1,DC=example,DC=com’
usersearch: ‘(uid={0})’
username_attribute: uid
rolebase: ‘OU=Groups,DC=ldap,DC=ad1,DC=example,DC=com’
rolesearch: ‘(member={0})’
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true

skip_users:
- kibanaserver
- ‘cn=Michael Jackson,ou*people,o=TEST’
          - '/\S*/'

roles.yml -

adminrole:
reserved: true
cluster_permissions:
- cluster_all
index_permissions:
- index_patterns:
- “*”
allowed_actions:
- crud

roles_mapping.yml -

adminrole:
reserved: false
backend_roles:

  • “DL Global IT Admin Dev Infrastructure for AdminDevs”

@ravis85

adminrole group has to be included in opendistro_security.restapi.roles_enabled:[] to enable the security tab in Kibana UI.

Hi @pablo

I tried that and restarted the node, but its still not working.

I am not able to see the security tab for my ldap user.

Could you please check my config.yml and roles/roles_mapping files and suggest if anything is wrong or missing?

@ravis85 I tested that with an internal user. I’ll see if LDAP works too.
Be sure that role name in opendistro_security.restapi.roles_enabled:[] is exactly as your custom role.

Hi @pablo Yes, I verified that the role name is exactly the same as I have it in my roles.yml and roles_mapping.yml

Please update once you have any finding for LDAP user.

Thank you

@ravis85 LDAP worked for me too. This is my config.

AD user config
image

elasticsearch.yml

roles.yml
image

roles_mapping.yml
image

@ravis85 Can you run the below command and verify that the user has a backend role assigned?

curl --insecure -u <LDAP_USERNAME> -XGET https://localhost:9200/_opendistro/_security/authinfo?pretty

This is what I get with my ldapuser1.

Also, would you mind sharing your elasticserach.yml file?

Hi @pablo This is what I am getting the result of above curl command without doing the changes you suggested above. I am working on applying the changes you provided above.

curl --insecure -u inshuklara -XGET https://localhost:9200/_opendistro/_security/authinfo?pretty
Enter host password for user ‘inshuklara’:
{
“user” : “User [name=Ravindra Shukla (INSHUKLARA), backend_roles=, requestedTenant=null]”,
“user_name” : “Ravindra Shukla (INSHUKLARA)”,
“user_requested_tenant” : null,
“remote_address” : “172.18.0.1:47870”,
“backend_roles” : ,

Below is my elasticsearch.yml file. I am using the default one

cluster.name: “docker-cluster”
network.host: 0.0.0.0

########### minimum_master_nodes need to be explicitly set when bound on a public IP
############ set to 1 to allow single node clusters
############ Details: Enforce `discovery.zen.minimum_master_nodes` is set when bound to a public ip by bleskes · Pull Request #17288 · elastic/elasticsearch · GitHub
############ discovery.zen.minimum_master_nodes: 1

############# Breaking change in 7.0
############ Breaking changes in 7.0 | Elasticsearch Guide [7.0] | Elastic
############ cluster.initial_master_nodes:
############ - elasticsearch1
############ - docker-test-node-1
######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
############ WARNING: revise all the lines below before you go into production
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”, “adminrole”]
opendistro_security.system_indices.enabled: true
opendistro_security.system_indices.indices: [“.opendistro-alerting-config”, “.opendistro-alerting-alert*”, “.opendistro-anomaly-results*”, “.opendistro-anomaly-detector*”, “.opendistro-anomaly-checkpoints”, “.opendistro-anomaly-detection-state”, “.opendistro-reports-", ".opendistro-notifications-”, “.opendistro-notebooks”, “.opendistro-asynchronous-search-response*”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########

Hi @pablo I am getting some syntax errors in securityadmin.sh results for roles.yml file. May be because of the typos. I am fixing them, I will update you.

@pablo Would you mind sharing the snippet of your roles.yml and roles_mapping.yml as mentioned in above screenshots, because by typing it manually on my side giving me some errors, may be because of typo I guess. It will be a great help.

Sure.

roles_mapping.yml

  "adminrole" : {
    "hosts" : [ ],
    "users" : [ ],
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "Ldap Users"
    ],
    "and_backend_roles" : [ ]
  }

roles.yml

  "adminrole" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_all"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "crud"
        ]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "global_tenant"
        ],
        "allowed_actions" : [
          "kibana_all_write"
        ]
      }
    ],
    "static" : false
  }

@ravis85 Could you also confirm that DL Global IT Admin Dev Infrastructure for AdminDevs gourp is in OU=Groups,DC=ldap,DC=ad1,DC=example,DC=com

I suspect that the security plugin fails to find that group in the specified rolebase path

Hi @pablo Yes, now I am having the same doubt, because I made the changes same like you did and still I can see the backend_roles as empty when I run the curl command for my LDAP user.

I will check this with my AD team and confirm

curl --insecure -u inshuklara -XGET https://localhost:9200/_opendistro/_security/authinfo?pretty
Enter host password for user ‘inshuklara’:
{
“user” : “User [name=Ravindra Shukla (INSHUKLARA), backend_roles=, requestedTenant=null]”,
“user_name” : “Ravindra Shukla (INSHUKLARA)”,
“user_requested_tenant” : null,
“remote_address” : “172.18.0.1:44546”,
“backend_roles” : ,