I am having an issue mapping roles to users who belong to nested LDAP groups using the LDAP Realm authentication option in the X-pack plugin.
For instance, I have a LDAP group called: elk-users, and inside I have 3 department groups that are I want to the basic ability to view data under the logstash_yyyy_dd_mm index in Kibana.
In my elasticsearch.yml, I have the following:
xpack: security: authc: realms: ldap1: type: ldap order: 0 url: "ldap://ldapserver.helloworld.com:389" bind_dn: "cn=bindaccount,ou=UserAccounts,dc=helloworld,dc=com" bind_password: XXXXXXXXXX user_search: base_dn: "dc=helloworld,dc=com" attribute: cn user_group_attribute: memberOf #group_search: # base_dn: "dc=helloworld,dc=com" files: role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
In my role_mapping.yml file, I have the following:
superuser: - "cn=elk-admins,ou=UsersGroups,ou=SpecialGroups,dc=helloworld,dc=com" kibana_user: - "cn=elk-users,ou=UsersGroups,ou=SpecialGroups,dc=helloworld,dc=com"
In the hypothetical role_mapping.yml, users mapped to the elk-admins role can log in with Superuser privileges, but users mapped the "kibana_user" role can log in via Kibana, but can not view anything under the logstash_YYYY_DD_MM index.
FYI the users in the elk-users group are nested inside other groups such as departmental groups. In other words, the elk-users group has 3 ldap groups contained with in the group. Users in the elk-admins LDAP group, were added one by one, and are not nested inside of another ldap group. Also the ldap realm configuration in elasticsearch.yml is binding to an Active Directory domain.
Is there something I am missing in my ldap realm or role_mapping config that would prevent the users in the "elk-users" group from getting the permissions mapped to them when logging into Kibana?