LDAP "User Authenticated" but no OpenDashboards acess

Security
1

Hey guys,

I have a problem with mapping my LDAP AD users to roles, Opensearch resolves my user and backend roles from AD just fine, but I can’t figure out how to map users to roles based on their backend roles in AD
This is log I get:

Rest user ‘User [name=foo, backend_roles=[bar], requestedTenant=null]’ is authenticated

And that’s all, it doesn’t allow me to enter kibana UI

my roles_mapping.yml

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "bar"
  description: "Maps admin to all_access"

roles.yml

bar:
  reserved: false
  cluster_permissions:
    - '*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - '*'
  tenant_permissions:
    - tenant_patterns:
          - '*'
      allowed_actions:
        - 'kibana_all_read'
        - 'kibana_all_write'

I don’t think I need to share my security config.yml but if needed I can share it as well
Thanks in advance,
Sam

1 Like
2

@Saidose Please share the output of the below command.

curl --insecure -u <LDAP_User> -XGET https://<OpenSearch_FQDN_or_IP>:9200/_plugins/_security/authinfo?pretty
3

Unauthorized on two master nodes and full info on one master

4

Hey Pablo,

Thank you very much, as soon as I got “unauthorized” it struck me that maybe I can’t connect to AD from two hosts 'cause of lack of certificates.
Well again I forgot that I was using opensearch as a service and didn’t copy security configuration and certificates to two other masters. One of them authorised the user, two other ones declined because there was no certificate to establish ssl connection to LDAP.
Note to self, always copy configuration files between hosts and while running as a service.
Thanks to your activity on this forum I decided to decline the idea of integrating keycloak, because of redirects and variables on both sides included and went for AD, works wonders.

Best regards,
Sam