Hi guys , lately i’ve added OD security plugin to ELK 7.4.0 and i configured the ldap and it works fine but my problem is the backend roles of the ldap users !! it affects nothing to everyone and roles is own_index
thanks in advance.
@HeiDri The roles are gathered from ldap groups, these are then mapped to roles in odfe. So for example I have a user in ldap with group called “employees”, in role_mappings.yml file I map that backend role to all_access (same as admin).
all_access:
reserved: false
backend_roles:
- "admin"
- "employess"
config.yml is as follows:
authc:
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- <ldap_ip>
bind_dn: <...>
password: <...>
userbase: 'cn=Users,dc=local,dc=local'
username_attribute: "sAMAccountName"
usersearch: '(sAMAccountName={0})'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- <ldap_ip>
bind_dn: <...>
password: <...>
rolebase: 'ou=GroupsNew,dc=local,dc=local'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: disabled
resolve_nested_roles: false
userbase: 'cn=Users,dc=local,dc=local'
usersearch: '(sAMAccountName={0})'
Hope this helps
Thank You for your solution to map LDAP user to ODFE roles using their group.
However how would You proceed if You want to map these LDAP group on a custom role other than ‘all_access’
I did this but I do not get LDAP user from the group (let sais ‘employess’) to connect
Here is the code, and I wonder what am I missing here
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
# Custom role defined to capture 'employess' LDAP group user and map them on permissions roles
all_employess_access:
reserved: false
hidden: false
backend_roles:
- "employess"
hosts: []
Thank for any help
@Kamikague have you created a role called all_employess_access in roles.yml file or using UI?
The reason it works with all_access is because there is a built in role defined with that name.
I assume you are using config file instead of UI, in which case you should create a role in roles.yml file and give it the necessary privileges. Don’t forget to upload the new config to security index.
I did just that and it is working now. I created a role named all_employess_access in roles.yml and another one, named all_employess_access for the mapping in the file roles_mapping.yml and then I uploaded the configuration again using securityadmin.sh Thank You for the support.