I am running my opendistro on docker container using docker-compose. I have integrated LDAP in the same by configuring config.yml file.
Now the issue is that after LDAP integration, my default admin login is not working anymore even if I have the below lines in my authz section in config.yml
skip_users:
- kibanaserver
- admin
I would like to know whether multiple authentication types are allowed or possible to work in opendistro. Like internal users as well as LDAP.
Please confirm. If this is possible, can you provide the sample config file where it has 2 authentication methods?
I have resolved this issue, now I am able to authenticate using “admin” user as well as my LDAP user.
However there is another issue I am facing, which is the mapping of roles to my LDAP user or group is not working. I am not able to see “Security” tab in Kibana UI when logged in using my LDAP user. Basically I am trying to grant my LDAP user/group the admin access, but its not working for me.
Could you please suggest what I am missing or anything I am doing wrong.
My ODFE version is - 1.13.2
Please see below my config.yml, roles.yml and roles_mapping.yml files
config.yml -
config:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently #filtered_alias_mode: warn #do_not_fail_on_forbidden: false #kibana:
# Kibana multitenancy #multitenancy_enabled: true #server_username: kibanaserver #index: ‘.kibana’
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern #internalProxies: '.’ # trust all internal proxies, regex pattern #remoteIpHeader: ‘x-forwarded-for’
###### see Pattern (Java Platform SE 7 ) for regex help
###### more information about XFF X-Forwarded-For - Wikipedia
###### and here RFC 7239 - Forwarded HTTP Extension
###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “ldap.ad1.example.com:389”
bind_dn: “CN=SRVLDAPUSER,OU=Users,OU=People,OU=IN,DC=ldap,DC=ad1,DC=example,DC=com”
password: "*****"
userbase: “OU=IN,DC=ldap,DC=ad1,DC=example,DC=com”
usersearch: “(sAMAccountName={0})”
username_attribute: cn
authz:
ldap:
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.ad1.example.com:389
bind_dn: CN=SRVLDAPUSER,OU=Users,OU=People,OU=IN,DC=ldap,DC=ad1,DC=example,DC=com
password: *******
userbase: ‘OU=IN,DC=ldap,DC=ad1,DC=example,DC=com’
usersearch: ‘(uid={0})’
username_attribute: uid
rolebase: ‘OU=Groups,DC=ldap,DC=ad1,DC=example,DC=com’
rolesearch: ‘(member={0})’
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
@ravis85 I tested that with an internal user. I’ll see if LDAP works too.
Be sure that role name in opendistro_security.restapi.roles_enabled:[] is exactly as your custom role.
Hi @pablo This is what I am getting the result of above curl command without doing the changes you suggested above. I am working on applying the changes you provided above.
Hi @pablo I am getting some syntax errors in securityadmin.sh results for roles.yml file. May be because of the typos. I am fixing them, I will update you.
@pablo Would you mind sharing the snippet of your roles.yml and roles_mapping.yml as mentioned in above screenshots, because by typing it manually on my side giving me some errors, may be because of typo I guess. It will be a great help.
Hi @pablo Yes, now I am having the same doubt, because I made the changes same like you did and still I can see the backend_roles as empty when I run the curl command for my LDAP user.