Hello everybody,
the current situation is this: we have insatllarto OpenDistro 1.4.0 both the part of ElasticSearch and Kibana. We have correctly set the authentication with Keycloak which is done correctly and we receive all the data we need in JWT.
Some data, however, we have recorded them on LDAP and to do so we have inserted in AUTHZ the part related to LDAP since the guide specifies that:
By default, the Security plugin reads all LDAP user attributes and makes them available for index name variable substitution and DLS query variable substitution. If your LDAP entries have a lot of attributes, you might want to control which attributes should be made available. The fewer the attributes, the better the performance.
The problem is that the role fields arrive correctly, but not the attributes. If I map the attributes on the roles I can see them correctly but I can’t see the various attr.ldap if we call for example on the KIBANA console:
GET _opendistro/_security/api/account
Do you have any idea why the attributes aren’t coming in when LDAP is being authorized?
The current configuration is as follows:
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "intern"
openid_auth_domain:
description: "Authenticate via Keycloak"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: "openid"
challenge: false
config:
subject_key: "preferred_username"
roles_key: "roles"
openid_connect_url: "keycloakUrl"
authentication_backend:
type: "noop"
authz:
organizationsFromldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "192.168.0.77:389"
bind_dn: "cn=admin,dc=foo,dc=example,dc=org"
password: "password"
rolesearch_enabled: false
userbase: "dc=foo,dc=example,dc=org"
usersearch: "(cn={0})"
username_attribute: "cn"
custom_attr_whitelist:
- "ou"
- "uid"
skip_users:
- "kibanaserver"
Even removing or putting
custom_attr_whitelist:
nothing changes