LDAP Authz for Group Membership

Security
1

Hi again community! Hope everyone is doing well during the holidays.

I appreciate all the help I’ve had thus far in this forum. Hoping you all might be able to help me out one more time.

Goal: Map security role to users in an Active Directory Group.

The DN for this group is:

cn=Dev-Users,ou=SRS,ou=AppManaged,ou=Groups,ou=IDM,dc=home,dc=test,dc=com

My username (jcannel) is a member of this roup. I honestly find the settings here a bit overwhelming. Rather than spend countless hours with trial and error, I was hoping I might get advice from someone who has done this before.

Here is a (truncated and redacted) securityconfig/config.yml file I’m using:

config:
  dynamic:
    ...
    ...
    authc:
      ...
      ...
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
              - <redacted>
            bind_dn: <redacted>
            password: <redacted>
            userbase: 'dc=home,dc=test,dc=com'
            usersearch: '(sAMAccountName={0})'
            username_attribute: sAMAccountName
            pemtrustedcas_filepath: /usr/share/opensearch/config/ca-certs.pem
    authz:
      ldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
              - <redacted>
            bind_dn: <redacted>
            password: <redacted>
            rolebase: 'dc=home,dc=test,dc=com'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: true
            userbase: 'dc=home,dc=test,dc=com'
            usersearch: '(sAMAccountName={0})'
            username_attribute: sAMAccountName
            skip_users:
              - admin
              - dashboards

It seems I have this working with authenticating a user, but can’t seem to figure out authz. When I authenticate with my user jcannel I get:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [cluster:monitor/main] and User [name=jcannel, backend_roles=[], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [cluster:monitor/main] and User [name=jcannel, backend_roles=[], requestedTenant=null]"
  },
  "status": 403
}

Would love to have input from someone with more experience on this.

2

Never mind on this. I figured it out.

Great resource here:

Wish that was part of the documentation, it provides a nice clean example.