Ldap backend roles

Hi guys , lately i’ve added OD security plugin to ELK 7.4.0 and i configured the ldap and it works fine but my problem is the backend roles of the ldap users !! it affects nothing to everyone and roles is own_index


how can i cahnge the roles and is thier a way to use created backend roles not the one gathered from ldap server.

thanks in advance.

1 Like

@HeiDri The roles are gathered from ldap groups, these are then mapped to roles in odfe. So for example I have a user in ldap with group called “employees”, in role_mappings.yml file I map that backend role to all_access (same as admin).

all_access:
   reserved: false
   backend_roles:
      - "admin"
      - "employess"

config.yml is as follows:

authc:
  ldap:
      description: "Authenticate via LDAP or Active Directory"
      http_enabled: true
      transport_enabled: false
      order: 5
      http_authenticator:
        type: basic
        challenge: true
      authentication_backend:
        type: ldap
        config:
          enable_ssl: false
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: false
          hosts:
            - <ldap_ip>
          bind_dn: <...>
          password: <...>
          userbase: 'cn=Users,dc=local,dc=local'
          username_attribute: "sAMAccountName"
          usersearch: '(sAMAccountName={0})'
authz:    
    roles_from_myldap:
      description: "Authorize via LDAP or Active Directory"
      http_enabled: true
      transport_enabled: false
      authorization_backend:
        type: ldap
        config:
          enable_ssl: false
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: false
          hosts:
            - <ldap_ip>
          bind_dn: <...>  
          password: <...>
          rolebase: 'ou=GroupsNew,dc=local,dc=local'
          rolesearch: '(member={0})'
          userroleattribute: null
          userrolename: disabled
          resolve_nested_roles: false
          userbase: 'cn=Users,dc=local,dc=local'
          usersearch: '(sAMAccountName={0})'

Hope this helps

Thank You for your solution to map LDAP user to ODFE roles using their group.

However how would You proceed if You want to map these LDAP group on a custom role other than ‘all_access’

I did this but I do not get LDAP user from the group (let sais ‘employess’) to connect

Here is the code, and I wonder what am I missing here

all_access:
  reserved: false
  backend_roles:
  - "admin"
  description: "Maps admin to all_access"


# Custom role defined to capture 'employess' LDAP group user and map them on permissions roles
all_employess_access:
  reserved: false
  hidden: false
  backend_roles:
  - "employess"
  hosts: []

Thank for any help

@Kamikague have you created a role called all_employess_access in roles.yml file or using UI?
The reason it works with all_access is because there is a built in role defined with that name.
I assume you are using config file instead of UI, in which case you should create a role in roles.yml file and give it the necessary privileges. Don’t forget to upload the new config to security index.

1 Like

I did just that and it is working now. I created a role named all_employess_access in roles.yml and another one, named all_employess_access for the mapping in the file roles_mapping.yml and then I uploaded the configuration again using securityadmin.sh Thank You for the support.