LDAP add permissions (authorize) to data

Hi there,

first of all the documentation and the project in general is a great thing!

I could install the OpenDistro v1 without any problem with a Ubuntu 18.04 LTS base. Furthermore i added LDAP authentication to Kibana trough the “config.yml” config file. The good thing is, i can successfully login with my domain user. The bad one, i have an empty view of the indexes and can not find them (or any other module).

My auhc section:
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 5
http_authenticator:
type: “basic”
challenge: false
authentication_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- “MYDC:389”
bind_dn: “cn=ServiceUser,ou=SubOU,dc=DOMAIN,dc=TLD”
password: “MYPASSWORD”
userbase: “dc=DOMAIN,dc=TLD”
usersearch: “(sAMAccountName={0})”
username_attribute: “cn”

So i guess the authorization (authz) isn’t working.
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “MYDC:389”
bind_dn: “cn=ServiceUser,ou=SubOU,dc=DOMAIN,dc=TLD”
password: “MYPASSWORD”
rolebase: “dc=DOMAIN,dc=TLD”
rolesearch: “(member={0})”
userroleattribute: null
userrolename: “disabled”
rolename: “cn”
resolve_nested_roles: true
userbase: “dc=DOMAIN,dc=TLD”
usersearch: “(uid={0})”

As described at https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/ldap/#use-active-directory-and-ldap-for-authorization i tried to configure the authorization.

The goal is to grant the LDAP Group “Linux-Team” full access to the system like the default (internal) “admin” user.

The LDAP group is located at:
CN=Linux-Group,OU=CUSTOMGROUPS,OU=GROUPS,DC=DOMAIN,DC=TLD

My personal user is member of the group and can login. But the view especially the data sets are not available to this user.

roles.yml:
ROLE_LDAP_ADMIN:
reserved: false
hidden: false
cluster_permissions:

  • “unlimited”
    index_permissions:
  • index_patterns:
    • “*”
      dls: “”
      fls:
      masked_fields:
      allowed_actions:
      tenant_permissions:
      static: false
      Linux-Group:
      reserved: false
      hidden: false
      cluster_permissions:
  • “unlimited”
    index_permissions:
  • index_patterns:
    • “*”
      dls: “”
      fls:
      masked_fields:
      allowed_actions:
      tenant_permissions:
  • tenant_patterns:
    • “global_tenant”
      allowed_actions:
    • “kibana_all_read”
      static: false

role_mapping.yml:
ROLE_LDAP_ADMIN:
reserved: false
hidden: false
backend_roles:

  • “Linux-Group”
    hosts:
    users:
    and_backend_roles:

View with internal “admin” user:

View with my ldap user:

What is the results of a call to localhost:9200/_opendistro/_security/authinfo?pretty with that user?

curl --insecure https://localhost:9200/_opendistro/_security/authinfo?pretty -u ldapusername

It will show the details about what is being received by authz. If you are using Active directory, you may need to adjust what is populated to the {0} in your config.yml

usersearch: “(uid={0})”

I had to change this to what AD was using for the account name instead of the linux style uid:

usersearch: “(sAMAccountName={0})”

Thanks for your response. Indeed it makes sense to adjust the usersearch. I changed it like you mentioned, it is the same like the one from the authc section.

Your curl request seems to be working with the correct assignment of the local kibana roles:
But the data isn’t display yet.

root@opendistro:~# curl --insecure https://localhost:9200/_opendistro/_security/authinfo?pretty -u myuser
Enter host password for user ‘myuser’:
{
“user” : “User [name=My User, roles=[different, groups,…], requestedTenant=null]”,
“user_name” : “My User”,
“user_requested_tenant” : null,
“remote_address” : “[::1]:58196”,
“backend_roles” : [
“different groups”
“Linux-Group”,
],
“custom_attribute_names” : [
“attr.ldap.msRTCSIP-PrimaryUserAddress”,
“attr.ldap.msTSExpireDate”,
“attr.ldap.logonCount”,
“attr.ldap.lastLogon”,
“attr.ldap.postalCode”,
“attr.ldap.badPwdCount”,
“attr.ldap.userAccountControl”,
“attr.ldap.whenCreated”,
“ldap.original.username”,
“attr.ldap.lastLogoff”,
“attr.ldap.msRTCSIP-FederationEnabled”,
“attr.ldap.l”,
“attr.ldap.sAMAccountName”,
“attr.ldap.msExchTextMessagingState”,
“attr.ldap.userPrincipalName”,
“attr.ldap.msExchUCVoiceMailSettings”,
“attr.ldap.whenChanged”,
“attr.ldap.msRTCSIP-InternetAccessEnabled”,
“attr.ldap.description”,
“attr.ldap.lockoutTime”,
“attr.ldap.displayName”,
“attr.ldap.objectSid”,
“attr.ldap.codePage”,
“attr.ldap.msRTCSIP-Line”,
“attr.ldap.mail”,
“attr.ldap.msExchUMDtmfMap”,
“attr.ldap.lastLogonTimestamp”,
“attr.ldap.primaryGroupID”,
“attr.ldap.msExchMailboxGuid”,
“attr.ldap.objectGUID”,
“attr.ldap.msTSLicenseVersion3”,
“attr.ldap.msTSLicenseVersion2”,
“attr.ldap.msRTCSIP-UserPolicies”,
“attr.ldap.company”,
“attr.ldap.msExchProvisioningFlags”,
“attr.ldap.countryCode”,
“attr.ldap.department”,
“attr.ldap.msExchRemoteRecipientType”,
“attr.ldap.instanceType”,
“attr.ldap.msRTCSIP-UserEnabled”,
“attr.ldap.telephoneNumber”,
“attr.ldap.msTSManagingLS”,
“attr.ldap.objectClass”,
“attr.ldap.msExchVersion”,
“attr.ldap.msExchUMEnabledFlags2”,
“attr.ldap.givenName”,
“attr.ldap.msRTCSIP-DeploymentLocator”,
“attr.ldap.msRTCSIP-OptionFlags”,
“ldap.dn”,
“attr.ldap.sAMAccountType”,
attr.ldap.co”,
attr.ldap.cn”,
“attr.ldap.msExchMobileBlockedDeviceIDs”,
“attr.ldap.accountExpires”,
“attr.ldap.msExchMobileMailboxFlags”,
“attr.ldap.dSCorePropagationData”,
“attr.ldap.name”,
“attr.ldap.c”,
“attr.ldap.uSNCreated”,
“attr.ldap.uSNChanged”,
“attr.ldap.msExchRecipientTypeDetails”,
“attr.ldap.streetAddress”,
“attr.ldap.pwdLastSet”,
“attr.ldap.msExchUserAccountControl”,
“attr.ldap.msRTCSIP-UserRoutingGroupId”,
“attr.ldap.msExchRecipientDisplayType”,
“attr.ldap.sn”,
“attr.ldap.msExchWhenMailboxCreated”,
“attr.ldap.mailNickname”,
“attr.ldap.msExchMobileAllowedDeviceIDs”,
“attr.ldap.mobile”,
“attr.ldap.msTSLicenseVersion”,
“attr.ldap.msExchHideFromAddressLists”,
“attr.ldap.st”
],
“roles” : [
“Linux-Group”,
“ROLE_LDAP_ADMIN”,
“own_index”
],
“tenants” : {
“My User” : true,
“global_tenant” : true
},
“principal” : null,
“peer_certificates” : “0”,
“sso_logout_url” : null
}

Although I don’t see the backend_roles array in that output, which is what I see right after the remote address, it looks like you are getting the correct mapping to ROLE_LDAP_ADMIN. I’d suggest adding the Linux-Group to the backend_roles of the kibana_user role mappings. You should be able to check it with an API call:

curl -k -XGET ‘https://localhost:9200/_opendistro/_security/api/rolesmapping/kibana_user’ -u admin
Enter host password for user ‘admin’:
{“kibana_user”:{“reserved”:false,“hidden”:false,“backend_roles”:[“kibanauser”,“ES_readall”],“hosts”:,“users”:,“and_backend_roles”:,“description”:“Maps kibanauser to kibana_user”}}

I thought I added the correct permissions to a custom role, but until I added the ldap backend_role to the kibana_user role mapping, it didn’t work.

Sorry my bad in the test environment i only have system indices at the moment so i need to check the switch on the right…

Is there any known reason to bind the permission to the default group of kibana_user?
Normaly it should be possible to create a own ACL model ?

Thank you for your help!

Do you also know how to remove the “Welcome” Screen with the demo data? This is always displayed also on another system with data and own index patterns…

The permissions can be added to a custom role. I just considered it better to use the default kibana_user in case changes to the permissions were needed in future releases. This way I don’t have to manage permissions that are needed for someone to be a kibana user.

You can set the default page for all people who login to kibana with the kibana.defaultAppId setting in kibana.yml. Mine kibana.yml has the name of a custom dashboard listed for all users as the default page.

kibana.defaultAppId: dashboard/custom-dash