Ldap Security authz

HeiDri · November 3, 2020, 5:16pm

Hi guys , so lately i added the open distro security plugin to the ELK 7.4.0 distribution, so i’m trying rto connect to the ldap server but something is wrong,
My config file seem to be correct and why i login using kibana i get this message, it gives my session name so it connects to the ldap erver but i can’t access kibana

{"message":"no permissions for [indices:data/read/search] and User [name=USER_NAME, backend_roles=[], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=USER_NAMEI, backend_roles=[], requestedTenant=null]","statusCode":403,"error":"Forbidden"}

this is my config file:

 ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: false
            hosts:
            - "....:389"
            bind_dn: 'cn=authreader,cn=Users,DC=****,DC=int' 
            password: 'password'
            userbase: 'ou=*****,DC=****,DC=int'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: 'cn'
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: true
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - "....:389"
            bind_dn: 'cn=authreader,cn=Users,DC=****,DC=int'
            password: 're@d123$'
            rolebase: 'ou=****,DC=****,DC=int'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            #userrolename: disabled
            userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: 'cn'
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'ou=****,DC=biat,DC=int'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users:
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'

and this is my kibana.yml:

server.name: kibana
elasticsearch.ssl.verificationMode: none
elasticsearch.username: ***
elasticsearch.password: ****
#elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: false
opendistro_security.multitenancy.tenants.enable_global: false
opendistro_security.multitenancy.tenants.enable_private: false

any idea what am i doing wrong ?? thanks for your help.

oscark · November 4, 2020, 4:45pm

It sounds that you have your “authc” section is in order since you can authenticate your user, even if it seems that you did not copy paste you ldap configuration incorrectly. My guess is that your issue is in the “authz” section your ldap config. I would try to get familiar with the ldapsearch command ( yum install openldap-clients ), it was very helpful for me when debugging.

This is an example from my installation notes of one of the commands that I used when debugging:
Ldapsearch -x -b $rolebase -H $ldapserver -D $bind_dn -w $password '$rolesearch' $rolename

dlyoungerman · November 10, 2020, 11:10pm

Have you made any roles and role mappings? I often see this message when our users try to view an index pattern that they don’t have access to. Our admins ldap group is mapped to the all_access internal role (that should get you started), and our users have role mapping pointing to their various ldap groups. Without the roles and their mappings you’re missing part of RBAC. https://opendistro.github.io/for-elasticsearch-docs/docs/alerting/security-roles/

HeiDri · November 11, 2020, 9:18am

hi , thanks for your reply , I did not add anything in the roles_mapping and the roles , can you give an example about how i can configure the roles_mapping and roles and map my ldpa users to the created roles?

Thanks in advance

dlyoungerman · November 11, 2020, 4:30pm

The following is from our all_access role mapping. The backend role is pointing to an admin ldap group and the user is the default elastic user. This mapping points to the built in “all_access” role.

> GET _opendistro/_security/api/rolesmapping/

"all_access" : {
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "cn=my-ldap-admin-role,ou=Groups,ou=my-team,ou=Environments,dc=my-company,dc=io"
    ],
    "hosts" : [ ],
    "users" : [
      "elastic"
    ],

The ODFE _security documentation is very helpful: API - Open Distro Documentation

Anthony · February 11, 2021, 10:14pm

@HeiDri Did you get it working using roles and role_mappings?

Topic		Replies	Views
LDAP add permissions (authorize) to data Security	5	3082	August 14, 2019
Open distro ldap authorization Security	2	542	June 9, 2021
LDAP backend roles (Authz) not working Security troubleshoot	10	871	April 18, 2023
FreeIPA Authentication Failed Security	4	1695	May 25, 2021
Error using LDAP/Active directory authentication Security	5	1211	February 18, 2021

Ldap Security authz

Related topics