Error using LDAP/Active directory authentication

Security
1

Hello community,

I am trying to configure LDAP/Active directory authentication and it seems like it works well and it doesn’t at the same time. After I have done all the configuration, I try to log in Kibana using my LDAP credentials and it recognizes if the credentials are good or bad. But, if I successfully log in, I am asked for credentials again in a new window that pops up, it’s like a second layer of authentication that I don’t want:

imagen
imagen1179×569 57 KB

And after using the same credentials here, I finally get an error:
imagen

I have checked that I can list all indices using my LDAP credentials using the Elasticsearch API:
curl -k -u user:password https://ES-IP:9200/_cat/indices

Checking the browser’s dev tools, I see that I get the error when I am forwarded to the page:
https://KIBANA-DNS/app/select_tenant?nextURL=%2F

My Kibana service is using the admin user, and my LDAP backend role is being mapped to the role all_access and to another role with unlimited privileges and all permissions for the global and admin tenant.

When I log in Kibana, I can see this log in the Elasticsearch logs:

imagen
imagen1896×278 135 KB

But after I get access denied when I put my credentials in the window that pops up (I don’t even know why I get asked credentials twice) I get this error in Kibana logs:

Oct 29 13:14:06 kibana[12899]: {“type”:“response”,“@timestamp”:“2020-10-29T12:14:06Z”,“tags”:,“pid”:12899,“method”:“get”,“statusCode”:401,“req”:{“url”:“/app/select_tenant?nextUrl=%2F”,“method”:“get”,“headers”:{“host”:“DNS”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0”,“accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8”,“accept-language”:“fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3”,“accept-encoding”:“gzip, deflate, br”,“referer”:“https://DNS/app/login?nextUrl=%2F",“upgrade-insecure-requests”:“1”,“x-forwarded-for”:“IP”,“connection”:“close”},“remoteAddress”:“IP”,“userAgent”:“IP”,“referer”:“https://DNS/app/login?nextUrl=%2F”},“res”:{“statusCode”:401,“responseTime”:29,“contentLength”:9},“message”:"GET /app/select_tenant?nextUrl=%2F 401 29ms - 9.0B”}

So the questions are:

  • Why do I have to put credentials twice?
  • Why is my LDAP account not workig on the second authentication? If I use admin:admin or kibanaserver:kibanaserver there, it works.

Any ideas would be much appreciated.

Thank you.
Regards,
Sergio.

2

It sounds like your user does not have permission to use Kibana/ not having permission to use indexes required for using Kibana.

So when you log into Kibana you get authenticated with LDAP but your users does not have a role that gives it permission to use Kibana. You should be able to verify this hypothesis by giving your user more permissions, the predefined role kibana_user should be enough. Users and Roles - Open Distro Documentation

3

Hi oscark,

My LDAP group is mapped as a backend role to the roles all_access and to another one that has unlimited permissions on the index pattern .kibana* and all my data indices. Also, it has all privileges for the global and admin tenant.
Thanks for your suggestion, I will try to map it to the kibana_user role too and let you know the result.
Regards,
Sergio.

4

Hi,
I have created a new test user and mapped it to the role all_access, and I can log in successfully using this user. However, my LDAP user keeps getting the Unauthorized access even if in the Elasticsearch logs it appears that the login was successful and the LDAP group is mapped via backend role to the all_access role too.

Any help would be appreciated.

Regards,
Sergio.

5

Just an update. I have verified that if I change enable_ssl to false and change the port to 389, it works perfectly. If I enable SSL and change the port to 636, I have the error mentioned above.

6

@sergiospa the CA cert that was used to sign the certificate received from ldap needs to be included in the config as it tries to validate it. There is an option under config "
pemtrustedcas_filepath: /full/path/to/trusted_cas.pem" where the ca cert should be specified. Can you provide your config.yml file?