Deny LDAP users without role mapping

Elastic Stack Elasticsearch
1

Greetings

I have some of my nodes set up to accept users via LDAP authentication, with role mapping based on group membership. The relevant configuration looks like this.

elasticsearch.yml:

xpack.security.authc.realms:
    realm1:
        type: native
        order: 0
    realm2:
        type: ldap
        order: 1
        metadata: uid
        url: ["ldaps://bizldap40:646","ldaps://bizldap41:636"]
        ssl.certificate_authorities: /etc/elasticsearch/certs/ldapcacert.crt
        user_search:
            base_dn: "ou=people,dc=example,dc=biz"
            attribute: uid
        group_search:
            base_dn: "ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
            scope: sub_tree
            user_attribute: uid
            filter: "(&(objectClass=posixGroup)(member=uid={0},ou=people,dc=example,dc=biz))"

Role mapping:

{
  "admins": {
    "enabled": true,
    "roles": [
      "superuser"
    ],
    "rules": {
      "field": {
        "groups": "cn=CLOG-ELK-Admin,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
      }
    }
  },
  "viewers": {
    "enabled": true,
    "roles": [
      "kibana_dashboard_only_user"
    ],
    "rules": {
      "field": {
        "groups": "cn=CLOG-ELK-Viewer,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
      }
    }
  },
  "editors": {
    "enabled": true,
    "roles": [
      "editor_user"
    ],
    "rules": {
      "field": {
        "groups": "cn=CLOG-ELK-Editor,ou=clog_mail,ou=mailcloud,ou=svcs,dc=example,dc=biz"
      }
    }
  }
}

Now, when a user without membership in either CLOG-ELK-Admin, CLOG-ELK-Editor, or CLOG-ELK-Viewer tries to log in through Kibana, they are admitted into the Kibana GUI, but not granted any rights.
Is there a way to deny the login attempt entirely for such users?

Thanks

2

No, this is not possible in current versions. There is an open issue to change this.