Hi guys , i want to create a role using the kibana security plugin for only the ldap users to use and a backend role to access only dashboards for the ldap users , any idea what should i set in the users tab and the backend roles tab ?
Thanks in advance.
@HeiDri You would need to assign groups in ldap, using these groups you can map users directly to a role, In order to only be able to show dashboards and other kibana objects for subset of users you will need to create a new tenant, the role would need to have relevant permissions for this tenant. The dashboards (and any other kibana objects) would then need to be re/created on that tenant for other members of that role to view. There is no need to create any users individually in users tab. Hope this helps
Hi @Anthony , thanks for the reply , i’ve managed to make the ldap connection work by configuring the config.yml file , but my problem here in configuring the role that would give acces to certain ldap group , beacuse right now the user is having only the own_index permission, can you share an example of your configuration if you don’t mind
@HeiDri so currently you are able to log in and get assigned a certain role based on group on ldap and just need to give the correct permissions for index and tenant? Or the roles are not assigned at login?
@Anthony yes when i login using my credentials the assigned role is own_index, by default any user from ldap connection is logged in and given the own_index role , i want to create a role for the ldap users so when any user log in automatically he will get this new created role
@HeiDri See my config.yml below (note some of the options are not necessary)
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- <ldap_ip>:<ldap_port>
bind_dn: <username>
password: <password>
userbase: 'cn=Users,dc=local,dc=local'
username_attribute: "uid"
usersearch: '(sAMAccountName={0})'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- <ldap_ip>:<ldap_port>
bind_dn: <username>
password: <password>
rolebase: 'ou=GroupsNew,dc=local,dc=local'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: disabled
rolename: cn
resolve_nested_roles: true
userbase: 'cn=Users,dc=local,dc=local'
usersearch: '(uid={0})'
on the ldap side I have my users defined in cn=Users and assigned to groups in ou=GroupsNew.
The users are then assigned the given group name (in my case ‘employees’), as a backend role, which is then mapped in role_mappings.yml file as below
testRole1:
backend_roles:
- employees
testRole1 is then defined in roles.yml file and gives access to testTenant.
This is assuming you have testTenant set up on tenants.yml file.