Map LDAP Users to Admin Role

It seems our elasticsearch is talking to our Active Directory server but our LDAP users are not getting permissions assigned if I try to map the users to the all access role that the built in admin account uses the ldap account does not seem to get those permissions but if I map a created internal user It will get the all access permissions
When I try curl -XGET https://0.0.0.0:9200 -u ldapusername:password -k I get this respnose
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:"no permissions for [cluster:monitor/main] and User [name=ldap username, backend_roles= then it proceedsto show me all these roles from my ldap server. I can create internal users and map them to roles and that same request will work I have tried to go into the all access role and map an ldap user the same way I find that its username@domainname.com I can log into the kibana web ui with that mapped ladap user but I cannot access the global tenant and also I cannot do any actions via curl

authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- “dc01.domain.net:389
bind_dn: ‘CN=Elasticsearch Test,CN=Users,DC=domain,DC=net’
password: Temppassword
rolebase: ‘OU=testOU,dc=domain,dc=net’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘OU=testOU,dc=domain,dc=net’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
description: “Authorize via another Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
#config goes here …

auth_failure_listeners:

ip_rate_limiting:

type: ip

allowed_tries: 10

time_window_seconds: 3600

block_expiry_seconds: 600

max_blocked_clients: 100000

max_tracked_clients: 100000

internal_authentication_backend_limiting:

type: username

authentication_backend: intern

allowed_tries: 10

time_window_seconds: 3600

block_expiry_seconds: 600

max_blocked_clients: 100000

max_tracked_clients: 100000

I am unsure how the auth z works. Does it map ad groups to roles in eleasticsearch? and If so how do I configure it correctly to associated a group in ad with say the all access role in elasticsearch?

This is resolved. In the role mappings yml file under the all access role I just added the name of the ad group that I wanted to map to it. This was never explained the documentation as simple as it sounds. My Auth Z section was correct. Auth z says hey get these roles from your ldap server and then they can be used to map roles to those lad groups as you specify them in the role mapping.

2 Likes