@Scarecrow What roles do you get when you run the below command?
curl --insecure -u <ldap_user> -XGET https://<OpenSearch_node>:9200/_plugins/_security/authinfo?pretty
@Scarecrow What roles do you get when you run the below command?
curl --insecure -u <ldap_user> -XGET https://<OpenSearch_node>:9200/_plugins/_security/authinfo?pretty
I get this as result:
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
Which is strange since i can log in via my ldap credentials and i’m using 2 times the same cert.pem for both authc and authz in my config.yml.
If i log in via my ldap credentials and look at my roles (right top corner) I just have access to my “own_index” and zero backend roles. So seems my role mapping is not correct (which is contradicted by the ad group which is in the all_access role next to the admin user)
You can also comment out or remove the below section from authz
only.
userbase: 'cn=xx,dc=xxx,dc=xxxl'
usersearch: '(mail={0})'
username_attribute: cn
@pablo I can confirm that did the trick!
for future reference the ldap authentication/config.yml config:
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
internal_auth:
order: 0
description: "HTTP basic authentication using the internal user database"
http_enabled: true
transport_enabled: false
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
ldap_auth:
order: 1
description: "Authenticate using LDAP"
http_enabled: true
transport_enabled: true
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: true
pemtrustedcas_filepath: "cert.pem"
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- xxxxxx:636
bind_dn: 'CN=x,OU=x,OU=x,DC=x,DC=x'
password: 'xxxxx'
userbase: 'OU=x,OU=x,OU=x,OU=x,DC=xx,DC=x'
usersearch: '(mail={0})'
username_attribute: null
authz:
ldap_roles:
description: "Authorize using LDAP"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
pemtrustedcas_filepath: "cert.pem"
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- xxxxx:636
bind_dn: 'CN=x,OU=x,OU=x,DC=x,DC=x'
password: 'xxxxx'
skip_users:
- "admin"
- "kibanaserver"
rolebase: 'OU=x,OU=x,OU=x,OU=x,DC=x,DC=x'
rolesearch: "(member={0})"
userroleattribute: null
userrolename: disabled
rolename: cn
resolve_nested_roles: true
On to actually starting to use/abuse the system now