Failed to assign role via role mapping API ldap realm

GaetanCia · April 28, 2023, 9:59am

Hi,
I have issue to assign a role via the role-mapping setting.

I tried to assign a role to a certain group of people who connect from the ldap realm.
If i use the native role mapping file, it work fine

My role_mapping.yml look like this:

Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names

#roleA:   this is an elasticsearch role
#  - groupA-DN  this is a group distinguished name
#  - groupB-DN
#  - user1-DN   this is the full user distinguished name

#power_user:
#  - "cn=admins,dc=example,dc=com"
#user:
#  - "cn=users,dc=example,dc=com"
#  - "cn=admins,dc=example,dc=com"
#  - "cn=John Doe,cn=other users,dc=example,dc=com"
My-role:
   - "cn=the_groupe,ou=mother_group,ou=um,ou=groups,dc=mydomain,dc=com"

My role mapped from the API :

 "Agent-viewer": {
    "enabled": true,
    "roles": [
      "My-role"
    ],
    "rules": {
      "field": {
        "dn": "cn=the_groupe,ou=mother_group,ou=um,ou=groups,dc=mydomain,dc=com"
      }
    },
    "metadata": {}
  }

log when i'm not using role_mapping.yml :

[2023-04-28T11:43:26,174][DEBUG][o.e.x.s.a.l.LdapUserSearchSessionFactory] [elastic-mydomain.com] Resolved 6 LDAP groups [[#MY group]] for user [uid=xxxxxx,ou=people,dc=mydomain,dc=com]
[2023-04-28T11:43:26,174][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [elastic-mydomain.com] the roles [[]], are mapped from the user [uid=xxxxxx,ou=people,dc=mydomain,dc=com] using file [role_mapping.yml] for realm [ldap/ldap1]

log when i suer role_mapping.yml:

[2023-04-28T11:49:45,480][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [elastic-mydomain.com] the roles [[My-role]], are mapped from these [ldap] groups [[MYGROUP]] using file [role_mapping.yml] for realm [ldap/ldap1]
[2023-04-28T11:49:45,486][DEBUG][o.e.x.s.a.l.LdapRealm    ] [prodelastic-hot1.infra.umontpellier.fr] realm [ldap1] authenticated user [xxxxx], with roles [[My-role]] (cached)

I have tried to create the role mapping with the api and kibana (stack-management/role-mapping).

If i copy paste the dn given in my role_mapping.yml in the API or kibana tool the user cannot loggin. SO i suppose it's not a problem of syntax.

How should i approche this issue ?

system · May 26, 2023, 9:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.