Users from internal db checked over LDAP

Hi All!

please help with error below,
i have configured elastic and opendistro to use internal users (order: 0) and ldap users/roles (order 1).

in elastic6 and opendistro 0.9, users which are in internal database passed security without error,
but in elastic7 and opendistro 1.1, i have next:

[2019-07-11T16:08:29,828][ERROR][c.a.o.s.a.BackendRegistry] [tlm-p-efk001] Cannot retrieve roles for User [name=kibanaserver, roles=, requestedTenant=null] from ldap due to ElasticsearchSecurityException[ElasticsearchSecurityException[
No user kibanaserver found]]; nested: ElasticsearchSecurityException[No user kibanaserver found];
org.elasticsearch.ElasticsearchSecurityException: ElasticsearchSecurityException[No user kibanaserver found]

my config:

_meta:
type: “config”
config_version: 2
config:
dynamic:
authc:
internal:
authentication_backend:
type: internal
http_authenticator:
challenge: true
type: basic
http_enabled: true
order: 0
transport_enabled: true
ldap:
authentication_backend:
config:
bind_dn: CN=ldapuser,OU=IT & Svc,OU=company,DC=domain,DC=com
enable_ssl_client_auth: false
enable_start_tls: false
hosts:
- server402:389
- server702:389
password: password
userbase: OU=svc,OU=IT & Svc,OU=company,DC=domain,DC=com
username_attribute: cn
usersearch: (sAMAccountName={0})
verify_hostnames: false
type: ldap
http_authenticator:
challenge: false
type: basic
http_enabled: true
order: 1
transport_enabled: false
authz:
ldap:
authorization_backend:
config:
bind_dn: CN=ldapuser,OU=IT & Svc,OU=company,DC=domain,DC=com
enable_ssl_client_auth: false
enable_start_tls: false
hosts:
- server402:389
- server702:389
password: password
resolve_nested_roles: true
rolebase: OU=svc,OU=IT & Svc,OU=company,DC=domain,DC=com
rolename: cn
rolesearch: (member={0})
userbase: OU=svc,OU=IT & Svc,OU=company,DC=domain,DC=com
username_attribute: cn
userrolename: memberOf
usersearch: (sAMAccountName={0})
verify_hostnames: false
type: ldap
http_enabled: true
transport_enabled: false
do_not_fail_on_forbidden: false
filtered_alias_mode: warn
http:
anonymous_auth_enabled: false
xff:
enabled: false
kibana:
index: .kibana
multitenancy_enabled: true
server_username: kibanaserver`

You have to add internal user list under the autnz/config in the following form:
skip_users: - <internal_user_name1>

1 Like

Thank you, this is working perfectly!
did not pay attention to this parameter ‘skip users’