Having issues mapping roles to users in nested LDAP groups

Good day,

I am having an issue mapping roles to users who belong to nested LDAP groups using the LDAP Realm authentication option in the X-pack plugin.

For instance, I have a LDAP group called: elk-users, and inside I have 3 department groups that are I want to the basic ability to view data under the logstash_yyyy_dd_mm index in Kibana.

In my elasticsearch.yml, I have the following:

          type: ldap
          order: 0
          url: "ldap://ldapserver.helloworld.com:389"
          bind_dn: "cn=bindaccount,ou=UserAccounts,dc=helloworld,dc=com"
          bind_password: XXXXXXXXXX
            base_dn: "dc=helloworld,dc=com"
            attribute: cn
          user_group_attribute: memberOf
          #  base_dn: "dc=helloworld,dc=com"
            role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"

In my role_mapping.yml file, I have the following:

  - "cn=elk-admins,ou=UsersGroups,ou=SpecialGroups,dc=helloworld,dc=com"
  - "cn=elk-users,ou=UsersGroups,ou=SpecialGroups,dc=helloworld,dc=com"

In the hypothetical role_mapping.yml, users mapped to the elk-admins role can log in with Superuser privileges, but users mapped the "kibana_user" role can log in via Kibana, but can not view anything under the logstash_YYYY_DD_MM index.

FYI the users in the elk-users group are nested inside other groups such as departmental groups. In other words, the elk-users group has 3 ldap groups contained with in the group. Users in the elk-admins LDAP group, were added one by one, and are not nested inside of another ldap group. Also the ldap realm configuration in elasticsearch.yml is binding to an Active Directory domain.

Is there something I am missing in my ldap realm or role_mapping config that would prevent the users in the "elk-users" group from getting the permissions mapped to them when logging into Kibana?

We do not support nested LDAP groups.

Is there a reason you are not using the Active Directory realm for this? The AD realm does support nested groups.

It's because I couldn't find any clear documentation on how to bind to Active Directory using a username and password. It appears that you can only use certificates to connect to an Active Directory domain using the X-pack plugin. Am I missing something?

I used the this document and couldn't find any attributes to specify a username or a password. https://www.elastic.co/guide/en/x-pack/current/active-directory-realm.html

After some examination of my config, I switch the realm to use active_directory instead of ldap. Then I had to trim off the parameters that are used in ldap realm and restart Elasticsearch. After restarting ElasticSearch I noticed that the "kibana_user" group was properly mapping to a user that belonged to one of the nested LDAP groups in the elk-users group. I still have some tweaking to do. I basically had to go off the assumption that the x-pack plugin was going to use the username and password input from Kibana and use it to query the Active Directory domain. After testing the changes, my assumption seemed to be correct. Otherwise, it wasn't easy to deduce this from the documentation.

I was able to get my problem solved with the info that you provided. However I am having an issue with the "Discover", "Management", "Machine Learning", etc showing up as blank when I click on them even though I gave my role read access to all indices. I suspect this is an issue with role privileges and with the Active Directory realm configuration at this point.

If you are concerned about your role mappings, try hitting the Authenticate API.

The output of that API includes a list of roles that you can check agains the roles you are trying to grant.

I fixed this by defining document field privileges.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.