It seems our elasticsearch is talking to our Active Directory server but our LDAP users are not getting permissions assigned if I try to map the users to the all access role that the built in admin account uses the ldap account does not seem to get those permissions but if I map a created internal user It will get the all access permissions
When I try curl -XGET https://0.0.0.0:9200 -u ldapusername:password -k I get this respnose
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:"no permissions for [cluster:monitor/main] and User [name=ldap username, backend_roles= then it proceedsto show me all these roles from my ldap server. I can create internal users and map them to roles and that same request will work I have tried to go into the all access role and map an ldap user the same way I find that its username@domainname.com I can log into the kibana web ui with that mapped ladap user but I cannot access the global tenant and also I cannot do any actions via curl
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- “dc01.domain.net:389”
bind_dn: ‘CN=Elasticsearch Test,CN=Users,DC=domain,DC=net’
password: Temppassword
rolebase: ‘OU=testOU,dc=domain,dc=net’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘OU=testOU,dc=domain,dc=net’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S/’
roles_from_another_ldap:
description: “Authorize via another Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
#config goes here …
auth_failure_listeners:
ip_rate_limiting:
type: ip
allowed_tries: 10
time_window_seconds: 3600
block_expiry_seconds: 600
max_blocked_clients: 100000
max_tracked_clients: 100000
internal_authentication_backend_limiting:
type: username
authentication_backend: intern
allowed_tries: 10
time_window_seconds: 3600
block_expiry_seconds: 600
max_blocked_clients: 100000
max_tracked_clients: 100000
I am unsure how the auth z works. Does it map ad groups to roles in eleasticsearch? and If so how do I configure it correctly to associated a group in ad with say the all access role in elasticsearch?
This is resolved. In the role mappings yml file under the all access role I just added the name of the ad group that I wanted to map to it. This was never explained the documentation as simple as it sounds. My Auth Z section was correct. Auth z says hey get these roles from your ldap server and then they can be used to map roles to those lad groups as you specify them in the role mapping.
Can you please paste the yml please am also facing the same issue i guess.
With Regards,
Abhishek
Could you run the below and share the output:
curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty
Please feel free to share your .yml files for review (the best would be to open a new forum).
Thanks,
mj
{
"user" : "User [name=p3087732adm, backend_roles=[], requestedTenant=null]",
"user_name" : "p3087732adm",
"user_requested_tenant" : null,
"remote_address" : "22.242.73.84:54282",
"backend_roles" : [ ],
"custom_attribute_names" : [
"attr.ldap.unixHomeDirectory",
"attr.ldap.cacheModifiersName",
"attr.ldap.objectGUID",
"attr.ldap.userAccountControl",
"ldap.original.username",
"attr.ldap.prismuser",
"attr.ldap.cacheCreatorsName",
"attr.ldap.employeeType",
"attr.ldap.sAMAccountName",
"attr.ldap.uid",
"attr.ldap.givenName",
"ldap.dn",
"attr.ldap.cn",
"attr.ldap.cacheModifyTimestamp",
"attr.ldap.description",
"attr.ldap.gidNumber",
"attr.ldap.name",
"attr.ldap.cacheCreateTimestamp",
"attr.ldap.uidNumber",
"attr.ldap.displayName",
"attr.ldap.objectSid",
"attr.ldap.sn",
"attr.ldap.cnmemberof",
"attr.ldap.objectclass",
"attr.ldap.uuid",
"attr.ldap.loginShell"
],
"roles" : [
"own_index"
],
"tenants" : {
"p3087732adm" : true
},
"principal" : null,
"peer_certificates" : "0",
"sso_logout_url" : null
}
This is the output I got, with i am able to login to opensearch dashboard, but not to opensearch url the same above error. So I need to know apply give all admin access to the ldap group.
With Regards,
Abhishek M
Hi @AbhiAbhishek,
How do you map internal OpenSearch roles to your LDAP user?
Would you mind running the below:
curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/api/rolesmapping?pretty
Thanks,
mj
This is the output
{
"manage_snapshots" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"snapshotrestore"
],
"and_backend_roles" : [ ]
},
"logstash" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"logstash"
],
"and_backend_roles" : [ ]
},
"UX-RG-ElasticTeam" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"admin"
],
"and_backend_roles" : [ ],
"description" : "Maps custom access"
},
"own_index" : {
"hosts" : [ ],
"users" : [
"*"
],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"kibanauser"
],
"and_backend_roles" : [ ],
"description" : "Allow full access to an index named like the username"
},
"kibana_user" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"kibanauser"
],
"and_backend_roles" : [ ],
"description" : "Maps kibanauser to kibana_user"
},
"all_access" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"admin",
"UX-RG-ElasticTeam",
"CN=UX-RG-ElasticTeam,OU=Role,OU=Unix,OU=Groups,OU=SPECTRUM,DC=CORP,DC=CHARTERCOM,DC=com"
],
"and_backend_roles" : [ ],
"description" : "Maps admin to all_access"
},
"readall" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"readall"
],
"and_backend_roles" : [ ]
},
"kibana_server" : {
"hosts" : [ ],
"users" : [
"kibanaserver"
],
"reserved" : true,
"hidden" : false,
"backend_roles" : [ ],
"and_backend_roles" : [ ]
}
}
With Regards,
Abhishek M
Is your user p3087732adm supposed to have the backend_roles=[UX-RG-ElasticTeam], to map the user to “all_access” role (a.k.a admin)?
At the moment your user has no backend roles (backend_roles=[]), wherefore you need to map the username to the role or pass the backend role(s) from your LDAP.
i.e.:
roles_mapping.yml
a_role:
reserved: false/true
backend_roles:
- " UX-RG-ElasticTeam"
#or/and
users:
- " p3087732adm"
Best,
mj
@Mantas
Its not working.
{
"manage_snapshots" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"snapshotrestore"
],
"and_backend_roles" : [ ]
},
"logstash" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"logstash"
],
"and_backend_roles" : [ ]
},
"a_role" : {
"hosts" : [ ],
"users" : [
"p3087732adm"
],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"kibanauser",
"UX-RG-ElasticTeam",
"CN=UX-RG-ElasticTeam,OU=Role,OU=Unix,OU=Groups,OU=SPECTRUM,DC=CORP,DC=CHARTERCOM,DC=com"
],
"and_backend_roles" : [ ]
},
"UX-RG-ElasticTeam" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"admin"
],
"and_backend_roles" : [ ],
"description" : "Maps custom access"
},
"own_index" : {
"hosts" : [ ],
"users" : [
"*"
],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"kibanauser",
"UX-RG-ElasticTeam",
"CN=UX-RG-ElasticTeam,OU=Role,OU=Unix,OU=Groups,OU=SPECTRUM,DC=CORP,DC=CHARTERCOM,DC=com"
],
"and_backend_roles" : [ ],
"description" : "Allow full access to an index named like the username"
},
"kibana_user" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"kibanauser"
],
"and_backend_roles" : [ ],
"description" : "Maps kibanauser to kibana_user"
},
"all_access" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"admin",
"UX-RG-ElasticTeam",
"CN=UX-RG-ElasticTeam,OU=Role,OU=Unix,OU=Groups,OU=SPECTRUM,DC=CORP,DC=CHARTERCOM,DC=com"
],
"and_backend_roles" : [ ],
"description" : "Maps admin to all_access"
},
"readall" : {
"hosts" : [ ],
"users" : [ ],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"readall"
],
"and_backend_roles" : [ ]
},
"kibana_server" : {
"hosts" : [ ],
"users" : [
"kibanaserver"
],
"reserved" : true,
"hidden" : false,
"backend_roles" : [ ],
"and_backend_roles" : [ ]
}
}
With Regards,
Abhishek M
Could you run and share the below:
curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/securityconfig?pretty
Thanks,
mj
{
"config" : {
"dynamic" : {
"filtered_alias_mode" : "warn",
"disable_rest_auth" : false,
"disable_intertransport_auth" : false,
"respect_request_indices_options" : false,
"kibana" : {
"multitenancy_enabled" : true,
"private_tenant_enabled" : true,
"default_tenant" : "",
"server_username" : "kibanaserver",
"index" : ".kibana"
},
"http" : {
"anonymous_auth_enabled" : false,
"xff" : {
"enabled" : false,
"internalProxies" : "192\\.168\\.0\\.10|192\\.168\\.0\\.11",
"remoteIpHeader" : "X-Forwarded-For"
}
},
"authc" : {
"jwt_auth_domain" : {
"http_enabled" : false,
"order" : 0,
"http_authenticator" : {
"challenge" : false,
"type" : "jwt",
"config" : {
"signing_key" : "base64 encoded HMAC key or public RSA/ECDSA pem key",
"jwt_header" : "Authorization",
"jwt_clock_skew_tolerance_seconds" : 30
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
},
"description" : "Authenticate via Json Web Token"
},
"ldap" : {
"http_enabled" : true,
"order" : 5,
"http_authenticator" : {
"challenge" : false,
"type" : "basic",
"config" : { }
},
"authentication_backend" : {
"type" : "ldap",
"config" : {
"enable_ssl" : false,
"enable_start_tls" : false,
"enable_ssl_client_auth" : false,
"verify_hostnames" : true,
"hosts" : [
"vm0uwvdsxxa0001.corp.chartercom.com"
],
"bind_dn" : "cn=svc-vds-specenteradd,ou=users,ou=serviceaccts,ou=security,dc=corp,dc=chartercom,dc=com",
"password" : "******",
"userbase" : "ou=users,ou=authentication,ou=security,dc=corp,dc=chartercom,dc=com",
"usersearch" : "(sAMAccountName={0})",
"username_attribute" : "uid"
}
},
"description" : "Authenticate via LDAP or Active Directory"
},
"basic_internal_auth_domain" : {
"http_enabled" : true,
"order" : 4,
"http_authenticator" : {
"challenge" : true,
"type" : "basic",
"config" : { }
},
"authentication_backend" : {
"type" : "intern",
"config" : { }
},
"description" : "Authenticate via HTTP Basic against internal users database"
},
"proxy_auth_domain" : {
"http_enabled" : false,
"order" : 3,
"http_authenticator" : {
"challenge" : false,
"type" : "proxy",
"config" : {
"user_header" : "x-proxy-user",
"roles_header" : "x-proxy-roles"
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
},
"description" : "Authenticate via proxy"
},
"clientcert_auth_domain" : {
"http_enabled" : false,
"order" : 2,
"http_authenticator" : {
"challenge" : false,
"type" : "clientcert",
"config" : {
"username_attribute" : "cn"
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
},
"description" : "Authenticate via SSL client certificates"
},
"kerberos_auth_domain" : {
"http_enabled" : false,
"order" : 6,
"http_authenticator" : {
"challenge" : true,
"type" : "kerberos",
"config" : {
"krb_debug" : false,
"strip_realm_from_principal" : true
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
}
}
},
"authz" : {
"roles_from_another_ldap" : {
"http_enabled" : false,
"authorization_backend" : {
"type" : "ldap",
"config" : { }
},
"description" : "Authorize via another Active Directory"
},
"roles_from_myldap" : {
"http_enabled" : true,
"authorization_backend" : {
"type" : "ldap",
"config" : {
"enable_ssl" : false,
"enable_start_tls" : false,
"enable_ssl_client_auth" : false,
"verify_hostnames" : true,
"hosts" : [
"vm0uwvdsxxa0001.corp.chartercom.com"
],
"bind_dn" : "cn=svc-vds-specenteradd,ou=users,ou=serviceaccts,ou=security,dc=corp,dc=chartercom,dc=com",
"password" : "******",
"rolebase" : "ou=users,ou=authentication,ou=security,dc=corp,dc=chartercom,dc=com",
"rolesearch" : "(sAMAccountName={0})",
"userroleattribute" : "roles",
"userrolename" : "memberOf",
"rolename" : "cn",
"resolve_nested_roles" : false,
"userbase" : "ou=users,ou=authentication,ou=security,dc=corp,dc=chartercom,dc=com",
"usersearch" : "(sAMAccountName={0})"
}
},
"description" : "Authorize via LDAP or Active Directory"
}
},
"auth_failure_listeners" : { },
"do_not_fail_on_forbidden" : false,
"multi_rolespan_enabled" : true,
"hosts_resolver_mode" : "ip-only",
"do_not_fail_on_forbidden_empty" : false,
"on_behalf_of" : {
"enabled" : false
}
}
}
}
With Regards,
Abhishek M
Hi @AbhiAbhishek,
The back-end roles are not asigned to your user.
Looks like you are mapping your OpenSearch roles to your user using back-end roles (alternatively you can use username),
you will need to find a way to assign values (such as groups) to your back-roles in your LDAP authz configuration (Active Directory and LDAP - OpenSearch Documentation) depending on your LDAP and its configuration. I can see that the troubleshooting is being continued here: Can't map ldap group to admin roles
Best,
mj