LDAP Authorization issue X-PACK

aswinkumart · July 28, 2017, 6:04pm

Hello,
I tried configuring the X-Pack LDAP authentication by adding the following to elasticsearch.yml

   xpack.security.authc.realms:
   native:
      type: native
      order: 0
   ldap1:
      type: ldap
      order: 1
      url: "ldap://<xxxxx host>:<xxxx port>"
      bind_dn: "CN=<service account name>,OU=Users - Service Accounts,OU=Administrative,DC=<groupname>,DC=xxxxxx,DC=com"
      bind_password: "sdfsdfsdfsdfs"
      user_search:
         base_dn: "<groupname>,dc=xxxxxx,dc=com"
         attribute: AccountName
      group_search:
         base_dn: "OU=Applications,OU=Groups,DC=<groupname>,DC=xxxxxx,DC=com"
      files:
          role_mapping: 'D:\ELK\elasticsearch-5.4.3\config\x-pack\role_mapping.yml'
      unmapped_groups_as_roles: false

and I also created and role-mapping.yml under /x-pack/config/role-mapping.yml

 superuser:
   - "CN=MAR-CI-Admins-S-G,OU=Applications,OU=Groups,DC=dmzprod01,DC=mrshmc,DC=com"

It works when I set the role to "superuser" but i am getting below error when I try to create custom role using kibana and then try to use it in role-mapping.yml

Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [XXXXX_User]

aswinkumart · July 31, 2017, 4:09pm

any help here?

TimV · August 1, 2017, 12:24am

Your question provided lots of details about the things that are working, and none of the details about the things that aren't working. It is very hard to provide useful advice when the only concrete piece of information we have is that some user with some role isn't able to do update some index.

When asking questions, focus your details on the parts that aren't working:

When I do this, the user gets this error.
The user has this role.
The role has this definition.

Here's what you can do to debug the problem:

Use the authenticate API to check your users roles, and then the roles API to check the definition of those roles.

curl -XGET 'localhost:9200/_xpack/security/_authenticate?pretty' -u my_ldap_user

That will show you which roles your user has. Check that your custom role is there.

Then run this, and copy-and-paste the role name from the output of the authenticate API. About 50% of these problems are caused by typos, so make sure you directly copy the role name.

curl -XGET 'localhost:9200/_xpack/security/role/my_custom_role?pretty' -u elastic

That will show you the definition of the role.
Check what privileges the role has for the index you are trying to update.

aswinkumart · August 1, 2017, 7:24pm

Hi TimV,
Thanks for your reponse.

I tried GET /_xpack/security/role/kibana?pretty but I got {} as output - kibana is the role which I created through management -> security under Kibana application. For other users like superuser I am getting following output:

{
  "superuser": {
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "*"
        ],
        "privileges": [
          "all"
        ]
      }
    ],
    "run_as": [
      "*"
    ],
    "metadata": {
      "_reserved": true
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}

Could you please tell me why I am not able get response for the role which I created? does it mean - we can assign only system defined roles for LDAP configuration?

TimV · August 2, 2017, 12:37am

I'm afraid that whatever you did in Kibana didn't actually create a role named kibana. If that API returns {} then the role doesn't exist.

Perhaps you had a typo in the role name when you created it in Kibana, or perhaps you got an error while trying to create the role, and didn't notice.

What roles does the Kibana UI list?

aswinkumart · August 2, 2017, 1:27pm

Hello,
I kind of figured it out, If I create an role using "dev Tools" in Kibana console by suplying following command, it works -

POST /_xpack/security/role/readonly
{
  "cluster": ["all"],
  "indices": [
    {
      "names": [ "*" ],
      "privileges": ["read"]
    }
  ]
  }

however, If I create the role using management -> security It doesn't work when I configure under role-mapping.yml. Meaning, I am getting the unauthorized for user [XXXXX_User] error.

I am facing a new issue now - If I change the indices name to something else like my index name - authorization fails again - I am getting the unauthorized for user [XXXXX_User] error.

It works only if I give "*" - can you help me to understand this?

"indices": [
        {
          "names": [ "*" ],

system · August 30, 2017, 1:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.