Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.11.1
Describe the issue:
Good afternoon. Please help me figure out the problem of defining roles in OpenSearch. I tried to set up OpenSearch stack integration with Active Directori. Configured authentication and authorization via LDAP in the cohfig.yml file. Divided AD users into two groups: administrators with the admin_AD role and users with readall_AD rights. I created the roles in the roles_mapping.yml file. But when authorizing through the Opensearch Dashboards web interface, AD roles are used, and not those that I wrote in roles_mapping.yml. Is this the reason for my error?
Configuration:
file configuration roles_mapping.yml:
admin_AD:
reserved: false
backend_roles:
- "GISAP Admins"
readall_AD:
reserved: false
backend_roles:
- "ORIS"
file configuration config.yml :
ldap:
description: "Authenticate via LDAP or Active Directory"
# http_enabled: false
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# Π΄ΠΎΠ±Π°Π²ΠΈΠ» ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ ΠΎΡΠΊΠ»ΡΡΠ°ΡΡΠΈΠΉ ΡΠ΅ΡΠ΅ΡΠ°Π»ΡΠ½ΡΠ΅ ΡΡΡΠ»ΠΊΠΈ
# enable_referrals: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.firm-august.ru:389
- dc2.firm-august.ru:389
bind_dn: 'CN=elasticsearchuser,OU=GISAP,OU=!Π‘Π»ΡΠΆΠ΅Π±Π½ΡΠ΅ ΠΠΊΠΊΠ°ΡΠ½ΡΡ,DC=firm-august,DC=ru'
password: 'XXXXX'
# userbase: 'OU=ΠΠ΅ΠΏΠ°ΡΡΠ°ΠΌΠ΅Π½Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΡ
ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΉ,OU=ΠΠΈΡΠ΅ΠΊΡΠΈΡ ΠΏΠΎ ΡΡΡΠ°ΡΠ΅Π³ΠΈΡΠ΅ΡΠΊΠΎΠΌΡ ΡΠ°Π·Π²ΠΈΡΠΈΡ ΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌ,OU=Departments,DC=firm-august,DC=ru'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
# usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: 'cn'
users:
primary-userbase:
base: 'OU=Departments,DC=firm-august,DC=ru'
search: '(sAMAccountName={0})'
secondary-userbase:
base: 'OU=!ΠΠ΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΈΠ²Π½ΡΠ΅ Π°ΠΊΠΊΠ°ΡΠ½ΡΡ,OU=!Π‘Π»ΡΠΆΠ΅Π±Π½ΡΠ΅ ΠΠΊΠΊΠ°ΡΠ½ΡΡ,DC=firm-august,DC=ru'
search: '(sAMAccountName={0})'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- dc.firm-august.ru:389
- dc2.firm-august.ru:389
bind_dn: 'CN=elasticsearchuser,OU=GISAP,OU=!Π‘Π»ΡΠΆΠ΅Π±Π½ΡΠ΅ ΠΠΊΠΊΠ°ΡΠ½ΡΡ,DC=firm-august,DC=ru'
password: 'XXXXX'
rolebase: 'OU=!Groups,DC=firm-august,DC=ru'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: '(sAMAccountName={0})'
# Roles as an attribute of the user entry
userrolename: 'memberOf'
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: 'cn'
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
users:
primary-userbase:
base: 'OU=Departments,DC=firm-august,DC=ru'
search: '(sAMAccountName={0})'
secondary-userbase:
base: 'OU=!ΠΠ΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΈΠ²Π½ΡΠ΅ Π°ΠΊΠΊΠ°ΡΠ½ΡΡ,OU=!Π‘Π»ΡΠΆΠ΅Π±Π½ΡΠ΅ ΠΠΊΠΊΠ°ΡΠ½ΡΡ,DC=firm-august,DC=ru'
search: '(sAMAccountName={0})'
skip_users:
- 'kibanaserver'
- 'logstash'
- 'admin'
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
Relevant Logs or Screenshots: