LDAP authentication in Kibana


(dharmendra pratap singh) #1

Hello Friends,
Hope yo are doing good.

In my application, I want to do the authentication in kibana using LDAP. if
anyone has done it before, please help me to come out of this.

Appreciate your help.

Regards
Dharmendra

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b2f56f3f-c55b-4f01-9e0f-bcb090cf643e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Brian Yoder) #2

Dharmendra,

Since Kibana is not a web server but must run within a web server, it's
that web server that would provide the authentication. This would be Apache
HTTPD, nginx, Node.js, or some other HTTP server. All three of the options
I listed have LDAP authentication modules available for them.

I have not yet done this, but it's something we will need as we move from
evaluating the ELK stack to actually deploying it.

I did get Kibana to run as a site plugin for Elasticsearch, but this is
only for a very quick and very easy way to start generating enthusiasm
(which it is doing!). However, this provides no means of authentication.

Brian

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/1334fbdf-ff02-4879-a39e-b843e6dbcc19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(dharmendra pratap singh) #3

Hi Brian,
Thanks a lot for your response.

Brian, Can you guide me how can I do the user authentication based on
Active Directory. I am using Apache Tomcat for running my Kibana.

My Current requirement is to give access only to the LDAP users for my
Kibana dashboard and these users should have the access to ES.

Appreciate your help.
Thanks a lot.

Regards
Dharmendra

On Wed, Jun 18, 2014 at 8:27 PM, Brian brian.from.fl@gmail.com wrote:

Dharmendra,

Since Kibana is not a web server but must run within a web server, it's
that web server that would provide the authentication. This would be Apache
HTTPD, nginx, Node.js, or some other HTTP server. All three of the options
I listed have LDAP authentication modules available for them.

I have not yet done this, but it's something we will need as we move from
evaluating the ELK stack to actually deploying it.

I did get Kibana to run as a site plugin for Elasticsearch, but this is
only for a very quick and very easy way to start generating enthusiasm
(which it is doing!). However, this provides no means of authentication.

Brian

--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/Vtr8FLDF7Oo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/1334fbdf-ff02-4879-a39e-b843e6dbcc19%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/1334fbdf-ff02-4879-a39e-b843e6dbcc19%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAHBFL7qGAijWgt00ZnCsUDqeYXty%3DCaaZWanXWt6iig6kem5QA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(alekjouharyan) #4

Here's my ldap-related apache conf (using authnz_ldap)...hope it helps

AuthLDAPBindDN "CN=username, CN=Users, DC=domain, DC=com" AuthLDAPBindPassword "Password for Kerberos auth user" AuthLDAPURL "ldap(or ldaps)://fqdns or ip of ldap/ad server/CN=users,DC=domain,DC=.com?sAMAccountName?sub?(objectClass=*)" AuthType Basic AuthBasicProvider ldap AuthName "some text for login prompt" AuthLDAPAuthorative on AuthLDAPGroupAttributeIsDN on require valid-user

https://github.com/elasticsearch/kibana/blob/master/sample/apache_ldap.conf

http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication

http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html

http://www.linuxquestions.org/questions/linux-server-73/active-directory-ldap-authentication-with-apache-2-2-a-917739/

^some links that helped me out

On Wednesday, June 18, 2014 9:52:58 AM UTC-7, dharmendra pratap singh wrote:

Hi Brian,
Thanks a lot for your response.

Brian, Can you guide me how can I do the user authentication based on
Active Directory. I am using Apache Tomcat for running my Kibana.

My Current requirement is to give access only to the LDAP users for my
Kibana dashboard and these users should have the access to ES.

Appreciate your help.
Thanks a lot.

Regards
Dharmendra

On Wed, Jun 18, 2014 at 8:27 PM, Brian <brian....@gmail.com <javascript:>>
wrote:

Dharmendra,

Since Kibana is not a web server but must run within a web server, it's
that web server that would provide the authentication. This would be Apache
HTTPD, nginx, Node.js, or some other HTTP server. All three of the options
I listed have LDAP authentication modules available for them.

I have not yet done this, but it's something we will need as we move from
evaluating the ELK stack to actually deploying it.

I did get Kibana to run as a site plugin for Elasticsearch, but this is
only for a very quick and very easy way to start generating enthusiasm
(which it is doing!). However, this provides no means of authentication.

Brian

--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/Vtr8FLDF7Oo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/1334fbdf-ff02-4879-a39e-b843e6dbcc19%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/1334fbdf-ff02-4879-a39e-b843e6dbcc19%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/4cee9a00-28d1-437b-a0e1-3bd267a7dc8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(naveen bajaj) #5

I configured ldap properties in httpd.conf.

AuthLDAPBindDN "uid=nabajaj,OU=Employee,OU=Cisco
Users,DC=ds,DC=cisco,DC=com"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://domain:389/OU=Employee,OU=Cisco
Users,DC=ds,DC=cisco,DC=com?uid?sub?(objectClass=*)"
AuthType Basic
AuthBasicProvider "ldap"
authzldapauthoritative Off
AuthName "some text for login prompt"
require valid-user

But it giving me error like

[error] [client x.x.x.x] user nabajaj: authentication failure for
"/kibana": Password Mismatch

Please help me here.

On Wednesday, 18 June 2014 19:10:47 UTC+5:30, dharmendra pratap singh wrote:

Hello Friends,
Hope yo are doing good.

In my application, I want to do the authentication in kibana using LDAP.
if anyone has done it before, please help me to come out of this.

Appreciate your help.

Regards
Dharmendra

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/7be86d2f-9c67-4ccd-92d2-37d154ecc6d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(system) #6