Greetings
I have some of my nodes set up to accept users via LDAP authentication, with role mapping based on group membership. The relevant configuration looks like this.
elasticsearch.yml:
xpack.security.authc.realms:
realm1:
type: native
order: 0
realm2:
type: ldap
order: 1
metadata: uid
url: ["ldaps://bizldap40:646","ldaps://bizldap41:636"]
ssl.certificate_authorities: /etc/elasticsearch/certs/ldapcacert.crt
user_search:
base_dn: "ou=people,dc=example,dc=biz"
attribute: uid
group_search:
base_dn: "ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
scope: sub_tree
user_attribute: uid
filter: "(&(objectClass=posixGroup)(member=uid={0},ou=people,dc=example,dc=biz))"
Role mapping:
{
"admins": {
"enabled": true,
"roles": [
"superuser"
],
"rules": {
"field": {
"groups": "cn=CLOG-ELK-Admin,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
}
}
},
"viewers": {
"enabled": true,
"roles": [
"kibana_dashboard_only_user"
],
"rules": {
"field": {
"groups": "cn=CLOG-ELK-Viewer,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
}
}
},
"editors": {
"enabled": true,
"roles": [
"editor_user"
],
"rules": {
"field": {
"groups": "cn=CLOG-ELK-Editor,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
}
}
}
}
Now, when a user without membership in either CLOG-ELK-Admin
, CLOG-ELK-Editor
, or CLOG-ELK-Viewer
tries to log in through Kibana, they are admitted into the Kibana GUI, but not granted any rights.
Is there a way to deny the login attempt entirely for such users?
Thanks