Hi there,
first of all the documentation and the project in general is a great thing!
I could install the OpenDistro v1 without any problem with a Ubuntu 18.04 LTS base. Furthermore i added LDAP authentication to Kibana trough the “config.yml” config file. The good thing is, i can successfully login with my domain user. The bad one, i have an empty view of the indexes and can not find them (or any other module).
My auhc section:
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 5
http_authenticator:
type: “basic”
challenge: false
authentication_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- “MYDC:389”
bind_dn: “cn=ServiceUser,ou=SubOU,dc=DOMAIN,dc=TLD”
password: “MYPASSWORD”
userbase: “dc=DOMAIN,dc=TLD”
usersearch: “(sAMAccountName={0})”
username_attribute: “cn”
So i guess the authorization (authz) isn’t working.
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “MYDC:389”
bind_dn: “cn=ServiceUser,ou=SubOU,dc=DOMAIN,dc=TLD”
password: “MYPASSWORD”
rolebase: “dc=DOMAIN,dc=TLD”
rolesearch: “(member={0})”
userroleattribute: null
userrolename: “disabled”
rolename: “cn”
resolve_nested_roles: true
userbase: “dc=DOMAIN,dc=TLD”
usersearch: “(uid={0})”
As described at https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/ldap/#use-active-directory-and-ldap-for-authorization i tried to configure the authorization.
The goal is to grant the LDAP Group “Linux-Team” full access to the system like the default (internal) “admin” user.
The LDAP group is located at:
CN=Linux-Group,OU=CUSTOMGROUPS,OU=GROUPS,DC=DOMAIN,DC=TLD
My personal user is member of the group and can login. But the view especially the data sets are not available to this user.
roles.yml:
ROLE_LDAP_ADMIN:
reserved: false
hidden: false
cluster_permissions:
- “unlimited”
index_permissions: - index_patterns:
- “*”
dls: “”
fls:
masked_fields:
allowed_actions:
tenant_permissions:
static: false
Linux-Group:
reserved: false
hidden: false
cluster_permissions:
- “*”
- “unlimited”
index_permissions: - index_patterns:
- “*”
dls: “”
fls:
masked_fields:
allowed_actions:
tenant_permissions:
- “*”
- tenant_patterns:
- “global_tenant”
allowed_actions: - “kibana_all_read”
static: false
- “global_tenant”
role_mapping.yml:
ROLE_LDAP_ADMIN:
reserved: false
hidden: false
backend_roles:
- “Linux-Group”
hosts:
users:
and_backend_roles:
View with internal “admin” user:
View with my ldap user: