Deny LDAP users without role mapping

Greetings

I have some of my nodes set up to accept users via LDAP authentication, with role mapping based on group membership. The relevant configuration looks like this.

elasticsearch.yml:

xpack.security.authc.realms:
    realm1:
        type: native
        order: 0
    realm2:
        type: ldap
        order: 1
        metadata: uid
        url: ["ldaps://bizldap40:646","ldaps://bizldap41:636"]
        ssl.certificate_authorities: /etc/elasticsearch/certs/ldapcacert.crt
        user_search:
            base_dn: "ou=people,dc=example,dc=biz"
            attribute: uid
        group_search:
            base_dn: "ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
            scope: sub_tree
            user_attribute: uid
            filter: "(&(objectClass=posixGroup)(member=uid={0},ou=people,dc=example,dc=biz))"

Role mapping:

{
  "admins": {
    "enabled": true,
    "roles": [
      "superuser"
    ],
    "rules": {
      "field": {
        "groups": "cn=CLOG-ELK-Admin,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
      }
    }
  },
  "viewers": {
    "enabled": true,
    "roles": [
      "kibana_dashboard_only_user"
    ],
    "rules": {
      "field": {
        "groups": "cn=CLOG-ELK-Viewer,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
      }
    }
  },
  "editors": {
    "enabled": true,
    "roles": [
      "editor_user"
    ],
    "rules": {
      "field": {
        "groups": "cn=CLOG-ELK-Editor,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
      }
    }
  }
}

Now, when a user without membership in either CLOG-ELK-Admin, CLOG-ELK-Editor, or CLOG-ELK-Viewer tries to log in through Kibana, they are admitted into the Kibana GUI, but not granted any rights.
Is there a way to deny the login attempt entirely for such users?

Thanks

No, this is not possible in current versions. There is an open issue to change this.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.